--- thp-0.4.6.orig/thpfunc.pl +++ thp-0.4.6/thpfunc.pl @@ -8,12 +8,17 @@ # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt +use POSIX qw(strftime); + sub getip { -$reply = `/sbin/ifconfig $intf`; -if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) { - $thpaddr = $1 -} + $thpaddr = 0; + if ( $intf =~ /^\w+$/ ) { + $reply = `/sbin/ifconfig $intf`; + if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) { + $thpaddr = $1 + } + } } # Since our SIDs are hex concatanations of unix time in seconds & microseconds, @@ -67,7 +72,28 @@ if ($svcname) { $sid="$sid.$svcname"} - $sesslog="$logdir/$sid"; + if ( -d "$logdir" ) { + $sesslog="$logdir/$sid"; + } else { + $now = strftime "%a %b %e %H:%M:%S %Y", localtime; + print ERRLOG "$now\tCannot create session directory since $logdir is not a valid directory.\n"; + closeout(); +# Unfortunatly, we should break at this point since we cannot log the +# connections. + exit(1); + } + +# TODO: Consider using the following code (to separate per address, maybe +# as an option?) +# (from simple honeypot) +# if ( -d "$logdir/$saddr"){ +# $sesslog="$logdir/$saddr/$sid"; +# } else { +#TODO: this should check if $saddr is safe before doing this +# `mkdir $logdir/$saddr`; +# $sesslog="$logdir/$saddr/$sid"; +# } + if ($logtype eq "single") { @capdata = ((strftime("%b %d %T", localtime(time))), ("SID=$sid"), ("PID=$procid"), ("SRC=$saddr"), ("SPT=$sport")); --- thp-0.4.6.orig/thp.conf +++ thp-0.4.6/thp.conf @@ -28,13 +28,15 @@ $domain = "localdomain"; # location of thp scripts, libs, etc. -$thpdir = "/usr/local/thp"; +$thpdir = "/usr/share/thpot"; # Directory for all logging. Should be mode 0700 nobody:nobody -$logdir = "/var/log/hpot"; +$logdir = "/var/log/thpot"; # Specific name for the master logfile. $logfile = "$logdir/captures"; +# Specific name for errors +$errfile = "$logdir/errors"; # Log format - "single" or "multi". Single line format is easier to parse, but # does not make any entry into the capture log until the session is complete. @@ -54,17 +56,18 @@ $prompt = "[root\@$hostname root]# "; # ftp server version choices (edit them if you like) -my $fver1 = "FTP server (Version wu-2.6.0(1))"; -my $fver2 = "FTP server (Version wu-2.6.1(2))"; -my $fver3 = "FTP server (Version wu-2.6.1-16)"; -my $fver4 = "FTP server (BSDI Version 7.00LS)"; -my $fver5 = "FTP server (PFTP 0.13)"; -my $fver6 = "NcFTPd Server"; -my $fver7 = "Microsoft FTP Service (Version 5.0)"; -my $fver8 = "Microsoft FTP Service (Version 4.0)"; +my @fver; +$fver[1] = "FTP server (Version wu-2.6.0(1))"; +$fver[2] = "FTP server (Version wu-2.6.1(2))"; +$fver[3] = "FTP server (Version wu-2.6.1-16)"; +$fver[4] = "FTP server (BSDI Version 7.00LS)"; +$fver[5] = "FTP server (PFTP 0.13)"; +$fver[6] = "NcFTPd Server"; +$fver[7] = "Microsoft FTP Service (Version 5.0)"; +$fver[8] = "Microsoft FTP Service (Version 4.0)"; # ftp version to emulate: -$ftpver = $fver3; +$ftpver = $fver[int(rand(@fver-1))+1]; # Should we allow ftp data connections? # 0 = no @@ -91,6 +94,23 @@ $httpdver = "1.3.9"; #$httpdver = "1.3.19"; +# sshd version to emulate: +my @sver; +$sver[1] = "SSH-1.5-1.2.26"; +$sver[2] = "SSH-1.5-1.2.27"; +$sver[3] = "SSH-2.0-OpenSSH_3.4p1"; +$sshver = $sver[int(rand(@sver-1))+1]; + +#smtp version to emulate +my @smver; +$smver[1] ="ESMTP Sendmail 8.12.2/8.12.2/SuSE Linux 0.6;"; +$smver[2] ="ESMTP Exim 3.12 #1"; +$smver[3] ="ESMTP Sendmail 8.9.3/8.9.3/Debian 8.9.3-21;"; +$smver[4] ="ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13)"; +$smver[5] ="ESMTP Sendmail 8.11.6/8.11.6;"; +$smtpver = $smver[int(rand(@smver-1)) + 1]; + + # If an attacker is looking for Windows files specifically, should thp accommodate # them, even if your $httpdvend (above) is something else? --- thp-0.4.6.orig/shpot_analizer.pl +++ thp-0.4.6/shpot_analizer.pl @@ -0,0 +1,156 @@ +#!/usr/bin/perl +#version 0.02 +#Author Luis Wong +#ONLY change log_file if is needed and parser_output_dir +use File::Copy; + +$log_file = '/var/log/shpot/captures'; +$parser_output_dir = '/var/www/shpot'; +$log_dir = '/var/log/shpot'; + +unless (-e $parser_output_dir && -d $parser_output_dir) { + mkdir ("$parser_output_dir"); +} + +open( LOG_FILE, "<", "$log_file" ) + or die "No log file exists $!\n"; + +sub time_log { + ($null,$minute,$hour,$day,$month,$year,$null,$null,$null)=localtime(time); + + if ($hour < 12) { + $ampm = "am"; + } else { + $ampm = "pm"; + } + if ($hour == 12) { + $hour=$hour; + } elsif ($hour == 0) { + $hour = $hour + 12; + } elsif ($hour > 12) { + $hour = $hour - 12; + } + if ($minute < 10) { + $minute = "0$minute"; + } + $year = $year + 1900; + + $month = $month + 1; + @months = qw(January February March April May June July August September October November December); + $written_month = $months[$month - 1]; +} + +sub log_byip { + print "Staring Logs ...\n"; + &working(); + print "\n"; + $htmlbyip=("$parser_output_dir/ip-log.html"); + open( HTMLbyIP, ">", "$htmlbyip" ); + select HTMLbyIP; + print "Shoneypot Log Report $written_month $day\, $year $hour\:$minute$ampm \n"; + print " + +

Shoneypot Reporter

Log Date\: $written_month $day\, $year $hour\:$minute$ampm

\n"; + print "
\n"; + + foreach $file (<$log_dir/*>) { + print ""; + foreach $infile (<$file/*>){ + print ""; + } + } + print "
\n"; + print split("$log_dir/",$file) ; + print "
Go -->"; + print split ("$log_dir/",$infile); + print "
\n"; + print "


This log is brought to you by shoneypot http://sourceforge.net/projects/single-honeypot lwong@mpsnet.net.mx
\n"; + close(HTMLbyIP); +} + +sub log_analizer { + print "&working() log analizer ...\n"; + $html=("$parser_output_dir/$written_month-$day-$year.html"); + open( HTML, ">", "$html" ); + select HTML; + + + print "Shoneypot Log Report $written_month $day\, $year $hour\:$minute$ampm \n"; + + print " + +

Shoneypot Reporter

Log Date\: $written_month $day\, $year $hour\:$minute$ampm View by ip

\n"; + + print "
\n"; + print ""; + + print "\n" ; + print "\n"; +print "\n"; + print "\n"; + print "\n"; + print "\n"; + print "\n"; + print "\n"; + + $tr_alternate = 0; + +# Begin parsing of log data + + while ($line = ){ + $line =~ /(\w+\s+\w+)\s+(\w+\:\w+\:\w+)\s+(\w+\s+\w+\s+\w+)\s+(\w+\.\w+.\w+.\w+)(\W+)(\w+\.\w+)(\W+)\s+(\w+\s+\w+\s+\w+\s+\w+)\s+(\w+\.\w+\.\w+\.\w+\:\w+)\s+(\w+\s+\w+)\s+(\w+\:\w+\:\w+)\s+(\w+\s+\W+\w+\s+\w+)\s+(\w+\:\w+\:\w+)\s+(\W+\w+)\s+(\w+\s+\w+)/; + + if(($3 ne '') or ($4 ne '') or ($9 ne '')){ + $tr_alternate = $tr_alternate + 1; + if ($tr_alternate == 1) { + print ""; + $tr_alternate = $tr_alternate - 2; + } + print "\n"; + print "\n"; + print "\n"; + print "\n"; + print "\n"; + print "\n"; + print "\n"; + print "\n"; + } + } + print "
 Time     
DateStartEndActionIP : source PORTMore of this IPElapsed timeTotal transferer
$1$2$11$4 $5 $6 $9$4$13$15
\n"; + print "


This log is brought to you by shoneypot http://sourceforge.net/projects/single-honeypot lwong@mpsnet.net.mx
\n"; + + +} + +sub working { + + $| = 1; + @anim= ("\\","|","/","-","\\","|","/","-"); + + print "\tWorking "; + + for($x=0;$x<5;$x=$x+1){ + + for ($y=0;$y<8;$y=$y+1){ + print "\b" . $anim[$y]; + select (undef,undef,undef,0.1); + if ($y==8){ $y=0}; + } + } + print "\n!Done"; +} + + +&time_log(); +&log_byip(); +&log_analizer(); + + + + + + + + + + --- thp-0.4.6.orig/ls.txt +++ thp-0.4.6/ls.txt @@ -0,0 +1,101 @@ +total 1416 +drwxr-x--- 36 root root 4096 jul 30 11:49 . +drwxr-xr-x 20 root root 4096 jul 29 10:43 .. +drwx------ 2 root root 4096 jun 25 13:05 .AbiSuite +-rw------- 1 root root 15348 jul 30 10:55 .bash_history +-rw-r--r-- 1 root root 24 jun 10 2000 .bash_logout +-rw-r--r-- 1 root root 234 jul 5 2001 .bash_profile +-rw-r--r-- 1 root root 176 ago 23 1995 .bashrc +drwxr-xr-x 4 root root 4096 jul 24 11:48 .cpan +-rw-r--r-- 1 root root 210 jun 10 2000 .cshrc +-rw-r--r-- 1 root root 96 may 13 11:29 .emacs +-rw-r--r-- 1 root root 60 may 8 10:24 .emacs~ +-rw-r--r-- 1 root root 62 may 8 10:20 .emacs-places +drwxr-xr-x 3 root root 4096 jul 9 23:20 ftp.openbsd.org +drwx------ 3 root root 4096 jul 19 13:19 .Gabber +drwx------ 2 root root 4096 jul 19 13:19 .Gabber-spool +-rw------- 1 root root 902 jul 24 15:21 .gaimrc +drwx------ 4 root root 4096 jul 22 16:10 .gconf +drwx------ 2 root root 4096 jul 22 16:10 .gconfd +drwx------ 2 root root 4096 jul 30 10:18 .gftp +drwxr-xr-x 17 root root 4096 jun 24 13:11 .gimp-1.2 +drwx------ 3 root root 4096 jul 26 15:53 .gnome +drwx------ 2 root root 4096 jul 24 10:06 .gnome_private +drwx------ 2 root root 4096 jul 22 15:14 .gnupg +drwxr-xr-x 4 root root 4096 may 7 15:07 .gqview +drwxr-xr-x 2 root root 4096 may 10 14:35 gtk +drwxr-xr-x 2 root root 4096 may 10 14:35 .gtk +-rw------- 1 root root 0 jul 1 11:09 .ICEauthority +drwxr-xr-x 2 root root 4096 may 7 15:31 ideb +-rw-r--r-- 1 root root 9433 jun 11 12:48 ipcalc.pl +drwxr-xr-x 4 root root 4096 jul 1 11:08 .kde +drwxr-xr-x 3 root root 4096 may 31 14:19 .kde2 +-rw-r--r-- 1 root root 13824 jul 17 12:01 lan.doc +drwx------ 2 root root 4096 may 28 10:51 .links +-rw-r--r-- 1 root root 4380 jul 4 10:00 .listing +drwx------ 2 root root 4096 jun 6 12:40 mail +drwx------ 2 root root 4096 may 6 13:23 Mail +-rw-r--r-- 1 root root 1497 may 31 14:26 .mailcap +-rw------- 1 root root 960047 jun 13 12:15 mbox +drwxr-xr-x 2 root root 4096 jul 16 12:01 .mc +-rw------- 1 root root 32 may 30 12:22 .MCOP-random-seed +-rw-r--r-- 1 root root 11 may 6 13:23 .mh_profile +-rw-r--r-- 1 root root 635 may 31 14:26 .mime.types +drwxr-xr-x 2 root root 4096 abr 29 12:39 .mozilla +-rw------- 1 root root 491 jul 24 13:05 .mysql_history +drwxr-xr-x 2 root root 4096 jul 24 14:19 .ncftp +drwxr-xr-x 5 root root 4096 jun 12 10:28 .netscape +drwxr-xr-x 3 root root 4096 may 31 14:19 .netscape6 +-rw-r--r-- 1 root root 3323 jun 11 13:01 network.pl +drwx------ 2 root root 4096 may 10 12:58 nsmail +drwxr-xr-x 6 root root 4096 may 31 14:28 OpenOffice.org1.0 +-rw------- 1 root root 14672 jun 6 12:40 .pinerc +-rw-r--r-- 1 root root 13824 jul 9 10:37 proxy.doc +drwxr--r-- 4 root root 4096 may 21 15:05 .rav8 +-rwxrwxrwx 1 root root 21276 may 22 14:25 reglas +-rw-r--r-- 1 root root 291 may 22 14:36 reglas.pl +-rw-r--r-- 1 root root 126 abr 30 12:30 .saves-1150-localhost.localdomain~ +-rw-r--r-- 1 root root 68 jun 12 13:45 .saves-12752-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 208 may 13 11:00 .saves-14716-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 38 may 13 11:00 .saves-14965-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 100 may 10 14:41 .saves-1556-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 162 may 15 14:25 .saves-17057-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 204 jul 30 10:33 .saves-18182-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 152 jul 30 12:01 .saves-18447-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 72 jul 30 11:49 .saves-18744-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 822 may 8 12:13 .saves-3977-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 616 may 10 13:39 .saves-5427-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 352 jun 4 12:16 .saves-5446-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 668 may 9 15:08 .saves-5903-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 108 jun 20 15:38 .saves-5954-lwong.mpsnet.net.mx~ +-rw-r--r-- 1 root root 420 jun 14 15:23 .saves-7005-lwong.mpsnet.net.mx~ +drwxr-xr-x 2 root root 4096 may 23 11:19 simplefirewall-beta-stable +drwx------ 2 root root 4096 jun 11 14:49 .ssh +-rw-r--r-- 1 root root 65 may 31 14:28 .sversionrc +-rw-r--r-- 1 root root 196 jul 11 2000 .tcshrc +-rw-r--r-- 1 root root 5477 jun 11 13:47 test1.pl +-rw-r--r-- 1 root root 531 may 8 14:58 test.pl +-rw-r--r-- 1 root root 2048 may 31 14:25 .user60.rdb +drwxr-xr-x 4 root root 4096 may 7 11:54 vmware +drwxr-xr-x 2 root root 4096 may 9 15:05 .vmware +-rw-r--r-- 1 root root 6 jul 24 10:03 .wmrc +drwx------ 2 root lwong 4096 abr 29 10:57 .xauth +-rw------- 1 root root 50 jul 5 11:20 .xauth3KActA +-rw------- 1 root root 50 jul 8 11:32 .xauth7594yc +-rw------- 1 root root 50 jul 5 11:14 .xauth89M0vj +-rw------- 1 root root 50 jun 12 13:18 .xauthcJGgxd +-rw------- 1 root root 50 jul 8 10:20 .xauthdljiQQ +-rw------- 1 root root 50 jul 5 10:14 .xauthFt555r +-rw------- 1 root root 50 jun 12 12:32 .xauthFUGR5v +-rw------- 1 root root 50 jul 5 11:24 .xauthGLtaUb +-rw------- 1 root root 50 jul 30 10:24 .xauthgw0sDk +-rw------- 1 root root 50 jul 8 09:49 .xauthmR81lp +-rw------- 1 root root 50 may 8 10:16 .xauthnsD70I +-rw------- 1 root root 50 jun 3 09:28 .xauthNYkTiC +-rw------- 1 root root 0 jul 24 14:17 .Xauthority +-rw------- 1 root root 50 may 8 11:28 .xauthtR34P1 +-rw------- 1 root root 50 jul 5 11:21 .xauthwxVFwm +-rw------- 1 root root 50 jul 30 11:26 .xauthxnXTPf +-rw-r--r-- 1 root root 129 jul 18 15:28 .xinerc +-rw-r--r-- 1 root root 1126 ago 23 1995 .Xresources +-rw------- 1 root root 85 jul 24 10:03 .xsession-errors --- thp-0.4.6.orig/logthis +++ thp-0.4.6/logthis @@ -11,7 +11,11 @@ # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt -$thpdir="/usr/local/thp"; +use POSIX qw(strftime); +use Getopt::Std; +# Options: +# - d : debug +getopts('d'); $svcname = $ARGV[0]; $procid = $$; $ENV{'PATH'} = '/bin:/usr/bin:/sbin:/usr/sbin'; @@ -19,40 +23,100 @@ @nsdata = split(" ",`netstat -tnp 2>/dev/null | grep $procid/perl`); ($saddr, $sport) = split /:/,$nsdata[4]; -do "$thpdir/thp.conf"; -foreach $file (<$thpdir/lib/*.pl>) { - do "$file"; +# TODO, consider setting up debug if $sport or $saddr are undefined +# (calling from the command line) + +# We create a new descriptor for debugging purposes +if ( $opt_d ) { + *DEBUG = *STDOUT; +} else { + open(DEBUG, ">/dev/null"); +} +if ( defined ( $saddr ) && defined ( $sport ) ) { + print DEBUG "DEBUG: Called with process id $procid (source address: $saddr, source port: $port), arguments: @ARGV\n"; +} else { + print DEBUG "DEBUG: Called with process id $procid (possibly from command line), with arguments: @ARGV\n"; +} + +$return = do "/etc/thpot/thp.conf"; +# TODO: This error checking should be sent somewhere if not running +# from the CLI. +print DEBUG "DEBUG: Could not read the configuration file $file: $!\n" unless defined $return; + +# Define thpdir direclty: +$thpdir = "/usr/share/thpot"; +# Use only for testing (locally) purposes: +#$thpdir="."; + + +foreach $file (<$thpdir/lib/*.pl>) { + $return = do $file; + print DEBUG "DEBUG: Couldn't parse $file: $@\n" if $@; +# TODO: Should these be considered? +# warn "couldn't do $file: $!" unless defined $return; +# warn "couldn't run $file" unless $return; } alarm $timeout; -use POSIX qw(strftime); - if ($allowftpdata == "0") { $thpaddr="127.0.0.1"; } elsif (!"$thpaddr") { $thpaddr = getip(); } +if ( ! $errfile ) { + print DEBUG "DEBUG: Error file is not defined, aborting.\n"; + exit (1); +} +if ( ! $logfile ) { + print DEBUG "DEBUG: Log file is not defined, aborting.\n"; + exit (1); +} + +open(ERRLOG, ">>$errfile"); open(CAPLOG, ">>$logfile"); opncaplog(); - # Redirect STDOUT to lessen the liklihood of an attacker fooling thp into # returning something useful to him. open(NEWOUT, ">/dev/null") || die; *STDOUT = *NEWOUT; -if (!"$svcname") { - nullresp(); -} elsif ($svcname =~ /shell|ftp|http|mssql|smtp|pop3/) { - &$svcname(); +$null = 0; +$error = ""; +# Check if this is a known service ( there is a function with that +# name in the library) +print DEBUG "DEBUG: Will call service $svcname\n"; +if ($svcname =~ /shell|ftp|http|mssql|smtp|pop3|ssh/ ) { + if ( defined(&$svcname) ) { + &$svcname(); + } else { + $error="Function $svcname is not defined, there might have occured an error loading the modules, will call nullresp()\n"; + $null = 1; + } } else { - nullresp(); + $null = 1 ; +} +if (!"$svcname") { + $null = 1 ; + $error = "Service is undefined\n"; } +# Call nullresponse if needed +if ( $null == 1 ) { + print DEBUG "DEBUG: $error\n"; + print ERRORLOG "ERROR: $error\n"; + print DEBUG "DEBUG: Calling nullresponse\n"; + nullresp(); +} + +# Close file descriptors in use close NEWOUT; +close DEBUG; clcaplog(); close(CAPLOG); +close(ERRLOG); +exit (0); --- thp-0.4.6.orig/debian/dirs +++ thp-0.4.6/debian/dirs @@ -0,0 +1,6 @@ +usr/bin +usr/sbin +etc/thpot +etc/logrotate.d +var/log/thpot +usr/share/thpot --- thp-0.4.6.orig/debian/thpot.8 +++ thp-0.4.6/debian/thpot.8 @@ -0,0 +1,40 @@ +.TH SHONEYPOT 8 "September 17, 2003" +.SH NAME +thpot \- Tiny honeypot to setup simple (and fake) services +.SH SYNOPSIS +.B thpot [service name] +.SH DESCRIPTION +This manual page documents briefly the +.B thpot +command. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +Instead, it has documentation in the GNU Info format; see below. +.PP +\fBthpot\fP is a program that enables you to fake services by +configuring it to be executed through either \fBxinetd\fP or \fBinetd\fP. +All the connection attempts and sessions to simulated services are logged +under \fB/var/log/thpot\fR. + +.SH OPTIONS +This program takes as argument the name of the service which is +being simulated, it can be anyone of +shell, ftp, http, mssql, smtp, pop3 or ssh. If the service name is +none of these a null response is returned (but the session is logged) +.SH FILES +.TP +.B /var/log/thpot +Location of the connections attempts and sessions to the honeypot services. +.TP +.B /etc/thpot/thp.conf +Configuration for the honeypot +.TP +.B /usr/share/thpot/ +Miscellaneous files and functions used by \fBthpot\fR +.SH SEE ALSO +.BR inetd.conf (5), +.BR inetd (8) +.SH AUTHOR +This manual page was written by +Javier Fernandez-Sanguino Pen~a , +for the Debian GNU/Linux system (but may be used by others). --- thp-0.4.6.orig/debian/thpot.logrotate +++ thp-0.4.6/debian/thpot.logrotate @@ -0,0 +1,8 @@ +/var/log/thpot/captures /var/log/thpot/errors { + monthly + rotate 12 + compress + missingok + create 0640 thpot root +} + --- thp-0.4.6.orig/debian/docs +++ thp-0.4.6/debian/docs @@ -0,0 +1 @@ +READTHIS --- thp-0.4.6.orig/debian/postinst +++ thp-0.4.6/debian/postinst @@ -0,0 +1,46 @@ +#!/bin/sh +# Postint script for tinyhoneypot + +set -e +# New user to create +NUSER=thpot +# User the group belongs to +NUSERGROUP=nogroup +# HOME directory for the user +NUHOME=/usr/share/thpot + +case "$1" in + configure) + if ! getent passwd | grep -q "^$NUSER:"; then + adduser --quiet --system --home $NUHOME \ + --gecos "TinyHoneypot" \ + --gecos "Honeypot user" \ + --disabled-login \ + --disabled-password \ + --no-create-home \ + --home $NUHOME \ + --ingroup $NUSERGROUP \ + --shell /dev/null \ + $NUSER + fi + # Setup the log directory + # TODO: maybe do this only once (if the directory belongs to + # root and the user has just been created) + chown -R $NUSER:root /var/log/thpot + chmod -R o-rwX /var/log/thpot + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 + --- thp-0.4.6.orig/debian/rules +++ thp-0.4.6/debian/rules @@ -0,0 +1,83 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) + CFLAGS += -g +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp +# Check if all libraries are OK (otherwise thpot might not work) + for file in lib/*.pl ; do \ + perl -c $$file >/dev/null 2>&1 || { echo "$$file syntax is not OK" ; exit; }; \ + done + +build-stamp: configure-stamp + dh_testdir + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + install -m755 logthis debian/tinyhoneypot/usr/sbin/thpot + install -m644 thpfunc.pl debian/tinyhoneypot/usr/share/thpot/ + install -m644 thp.conf debian/tinyhoneypot/etc/thpot/ + install -m644 ls.txt fakerpc debian/tinyhoneypot/usr/share/thpot/ + install -m644 debian/thpot.logrotate debian/tinyhoneypot/etc/logrotate.d/thpot + cp -aR lib/ debian/tinyhoneypot/usr/share/thpot/ + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# TODO: add a note about modifying inetd and maybe do it if asked to +# dh_installdebconf + dh_installdocs + dh_installexamples debian/inetd.conf.sample xinetd.d iptables.rules shpot_analizer.pl + dh_installmenu + dh_installcron + dh_installman debian/thpot.8 + dh_installinfo + dh_installchangelogs CHANGELOG + dh_link + dh_strip + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- thp-0.4.6.orig/debian/postrm +++ thp-0.4.6/debian/postrm @@ -0,0 +1,50 @@ +#! /bin/sh +# postrm script for thpot + +# User to delete +DUSER=thpot + +set -e + +case "$1" in + purge) + # find first and last SYSTEM_UID numbers + for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do + case $LINE in + FIRST_SYSTEM_UID*) + FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + LAST_SYSTEM_UID*) + LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + *) + ;; + esac + done + # remove thpot system account if necessary + if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then + if DUSERID=`getent passwd $DUSER | cut -f 3 -d ':'`; then + if [ -n "$DUSERID" ]; then + if [ "$FIST_SYSTEM_UID" -le "$DUSERID" ] && \ + [ "$DUSERID" -le "$LAST_SYSTEM_UID" ]; then + deluser --quiet $DUSER || true + fi + fi + fi + fi + + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +#DEBHELPER# + +exit 0 --- thp-0.4.6.orig/debian/copyright +++ thp-0.4.6/debian/copyright @@ -0,0 +1,17 @@ +This package was debianized by +Javier Fernandez-Sanguino Pen~a on +Wed, 17 Sep 2003 08:43:34 +0200. + +It was downloaded from http://www.alpinista.org/thp/ +(files available at http://www.alpinista.org/files/thp) + +Upstream Author: George Bakos - alpinista@bigfoot.com + + +Copyright: (c) 2003 George Bakos + +This is free software, released under the tems of the GNU General +Public License, you can find a copy of the license in your +define system at /usr/share/common-licenses or retrieve it +from http://www.gnu.org + --- thp-0.4.6.orig/debian/README.Debian +++ thp-0.4.6/debian/README.Debian @@ -0,0 +1,23 @@ +tiny honeypot for Debian +------------------------ + +This package provides all the scripts to run a simple honeypot but +are not, however, enabled by default. In the future it might be asked +wether the admin wants to setup these services in (x)inetd but, for +the moment, and for security reasons, the tinyhoneypot package will +not activate any of them after installation. + +You can find a sample of the inetd.conf configuration under +/usr/share/doc/tinyhoneypot/examples/. Notice that you are encouraged +to run your honeypots as user 'thpot' (the created by the package). + +In order to help logging creation, the installation script will create +a /var/log/thpot/ directory were scripts can log to. This directory +belongs to the 'thpot' user and introduces a small security risk since +any outside user that connects to the honeypot can fill up +your /var partition (since full captures are kept there). Precaution +is advised, you might want to have that directory in a separate partition +in a production environment. + + -- Javier Fernandez-Sanguino Pen~a , Tue, 18 May 2004 18:58:34 +0200 + --- thp-0.4.6.orig/debian/control +++ thp-0.4.6/debian/control @@ -0,0 +1,16 @@ +Source: thp +Section: admin +Priority: extra +Maintainer: Javier Fernandez-Sanguino Pen~a +Build-Depends: debhelper (>> 3.0.0) +Standards-Version: 3.6.0.1 +Homepage: http://www.alpinista.org/thp/ + +Package: tinyhoneypot +Architecture: any +Depends: ${perl:Depends}, adduser (>= 3.52) +Description: Small honeypot to trap attackers + Small honeypot provides an environment which can be used to + to lure attackers into it. It provides sample responses that simulate + a set of services (http, pop3, ftp, ssh, mssql and shell) and logs all the + connections to these services for later auditing. --- thp-0.4.6.orig/debian/TODO.Debian +++ thp-0.4.6/debian/TODO.Debian @@ -0,0 +1,10 @@ + +- Provide a way for the administrator to setup some honeypots (ask for + which services) through debconf. + +- Review (more) carefully the thpfunc code and try to handle corner + cases which might be potentially dangerous. For example, there is + no limitation for how many logs a service which is accessed to + can add which can lead to Denial of Service due to /var filling up. + +- Create manpage for shpot-analyser --- thp-0.4.6.orig/debian/changelog +++ thp-0.4.6/debian/changelog @@ -0,0 +1,117 @@ +thp (0.4.6-9) unstable; urgency=low + + * Fix error in variable name in lib/smtp.pl (Closes: 607703) + * Lintian fixes: + - debian/changelog: fix typo + - debian/control: Move Homepage to header + * Use debhelper compatibility version 7 + + -- Javier Fernandez-Sanguino Pen~a Wed, 22 Dec 2010 00:55:29 +0100 + +thp (0.4.6-8) unstable; urgency=low + + * Added adduser dependency + + -- Javier Fernandez-Sanguino Pen~a Wed, 11 May 2005 21:08:35 +0200 + +thp (0.4.6-7) unstable; urgency=low + + * Change GECOS of the thpot user + + -- Javier Fernandez-Sanguino Pen~a Thu, 6 Jan 2005 15:05:42 +0100 + +thp (0.4.6-6) unstable; urgency=low + + * Create the 'thp' user with 'nogroup' as group, thanks to + Corey Wright for spotting this (Closes: #263876) + + -- Javier Fernandez-Sanguino Pen~a Fri, 6 Aug 2004 09:24:40 +0200 + +thp (0.4.6-5) unstable; urgency=low + + * Fixed lintian bugs: + - SECTION -> 8 in manpage + - install thpfunc.pl mode 644 + - remove end point in description + + -- Javier Fernandez-Sanguino Pen~a Thu, 5 Aug 2004 20:00:44 +0200 + +thp (0.4.6-4) unstable; urgency=low + + * Added logrotate files (this was in the TODO) + * Create 'thpot' user to avoid giving 'nobody' the capability to + fill in the logs under /var (this was in the TODO) + * Removed DONE items from the TODO :-) + * Updated README.Debian appropiately + + -- Javier Fernandez-Sanguino Pen~a Tue, 18 May 2004 18:53:48 +0200 + +thp (0.4.6-3) unstable; urgency=low + + * Fixed syntax errors in scripts in order to fix file inclusion + (Closes: #215947) + * Modified the logic in thpot (logthis) in order to be able to get + debugging information if run with -d and to determine if modules are + loaded and functions available (otherwise it's difficult to debug + module problems) + * Added a check in 'build' in order to determine if the libraries + to be included in the package are syntactically correct. + * Enabled warning mode and fixed yet more syntax errors: + - Syntax errors in thp.conf ($X is not the same as @X in + scalar context) + - Smtp.pl uses @sendmail instead of \@sendmail + - != instead of ne in shell.pl + + -- Javier Fernandez-Sanguino Pen~a Fri, 17 Oct 2003 20:59:15 +0200 + +thp (0.4.6-2) unstable; urgency=low + + * The "Happy birthday, to me! release" + * Fixed logthis in order to include files from the /usr/share + directory (commented out the thpdir redefeinition) (Closes: #215082) + * Modified xinetd examples so that they can be "dragged and drop" + since they now point to the /usr/sbin/thpot binary directly + + -- Javier Fernandez-Sanguino Pen~a Fri, 10 Oct 2003 17:37:26 +0200 + +thp (0.4.6-1) unstable; urgency=low + + * Initial Release. + * Modified thp.conf so that it is easier to add new service banners and + so that _all_ banners are chosen randomly. + * Greeting program in thp.conf is /bin/false in order to avoid calling + fortunes (will add it to Suggests: in the future) + * Provide a sample inetd.conf but will not add the honeypot directly + into the system (yet) + * Logthis has been renamed to 'thpot' since the name is too generic + * Added a manpage for thpot + * Improvements: + - SMTP banner is not hardcoded (derived from 'simple honeypot') + - Added SSH function (very simple one, but could be used to trap + 0-days) + - Ftp, SSH and SMTP banners are not hardcoded but are changed + randomly in configuration. + - Sanity check in getip just in case intf is not properly defined. + - Added ls output to shell (taken from 'simple honeypot' with some + changes to avoid sending errors) + - Added errorfile to debug problems within the scripts (and avoid + ouputting them to the attacker) + - Added sanity checking in http responses (in case the user has not + defined a proper directory with them) + - Sanity checks on greeting programs (should probably check wether + the first argument is executable) + - Included the analyzer perl script from simple honeypot into the + examples directory. + - lib/httpd modified to use a predefined version of server in case + it is not defined (the user screwed up the config) + - lib/httpd modified to setup a valid version just in case the + remote attacker does not send a valid HTTP header for some reason + - added lib/pop3 (from 'simple honeypot') + - fixed bug in lib/smtp.pl (smtp -> smtphash) + - subsituted the code for lib/smtp.pl with the code from 'simple honeypot' + - removed the exit 0 from lib/http.pl or otherwise the CATALOG will + not be closed (and logs will not be created for the end of a + http connection) + + -- Javier Fernandez-Sanguino Pen~a Wed, 17 Sep 2003 08:43:34 +0200 + --- thp-0.4.6.orig/debian/compat +++ thp-0.4.6/debian/compat @@ -0,0 +1 @@ +7 --- thp-0.4.6.orig/debian/inetd.conf.sample +++ thp-0.4.6/debian/inetd.conf.sample @@ -0,0 +1,5 @@ +ftp stream tcp nowait thpot /usr/sbin/thpot thpot ftp +smtp stream tcp nowait thpot /usr/sbin/thpot thpot smtp +http stream tcp nowait thpot /usr/sbin/thpot thpot http +pop3 stream tcp nowait thpot /usr/sbin/thpot thpot pop3 +shell stream tcp nowait thpot /usr/sbin/thpot thpot shell --- thp-0.4.6.orig/xinetd.d/hpot +++ thp-0.4.6/xinetd.d/hpot @@ -11,7 +11,7 @@ wait = no user = nobody protocol = tcp - server = /usr/local/thp/logthis + server = /usr/sbin/thpot server_args = shell port = 6635 disable = yes --- thp-0.4.6.orig/xinetd.d/thp-pasv +++ thp-0.4.6/xinetd.d/thp-pasv @@ -10,7 +10,7 @@ port = 33701 wait = no user = nobody - server = /usr/local/thp/logthis + server = /usr/sbin/thpot server_args = nullresp nice = 10 disable = yes --- thp-0.4.6.orig/xinetd.d/thp-httpd +++ thp-0.4.6/xinetd.d/thp-httpd @@ -10,7 +10,7 @@ port = 40080 wait = no user = nobody - server = /usr/local/thp/logthis + server = /usr/sbin/thpot server_args = http nice = 10 disable = yes --- thp-0.4.6.orig/xinetd.d/thp-ftpd +++ thp-0.4.6/xinetd.d/thp-ftpd @@ -10,7 +10,7 @@ port = 40021 wait = no user = nobody - server = /usr/local/thp/logthis + server = /usr/sbin/thpot server_args = ftp nice = 10 disable = yes --- thp-0.4.6.orig/lib/ftpport.pl +++ thp-0.4.6/lib/ftpport.pl @@ -20,7 +20,7 @@ %actvhash = ( dir150 => "150 Opening ASCII mode data connection for directory listing.\x0d\x0a", - retr150 => "150 Opening BINARY mode data connection for $arg.\x0d\x0a" + retr150 => "150 Opening BINARY mode data connection for $arg.\x0d\x0a", stor150 => "150 Opening BINARY mode data connection for $arg.\x0d\x0a" ); --- thp-0.4.6.orig/lib/ssh.pl +++ thp-0.4.6/lib/ssh.pl @@ -0,0 +1,15 @@ +sub ssh { + my $textfin = ''; + $textfin = "Protocol mismatch.\n"; + + print STDERR "$sshver\n\n"; + open(LOG, ">>$sesslog"); + while (my $commands = ) { + print LOG $commands; + chomp $commands; + $commands =~ s/\r//; + @commands=split /\s+/,($commands); + } + print STDERR "$textfin"; + close LOG; +} --- thp-0.4.6.orig/lib/thpfunc.pl +++ thp-0.4.6/lib/thpfunc.pl @@ -1,5 +1,6 @@ # /usr/local/thp/thpfunc.pl version 0.4.4 +use POSIX qw(strftime); # Functions for use in thp 0.4.x A component of the thp # honeypot kit. # @@ -10,10 +11,13 @@ sub getip { -$reply = `/sbin/ifconfig $intf`; -if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) { - $thpaddr = $1 -} + $thpaddr = 0; + if ( $intf =~ /^\w+$/ ) { + $reply = `/sbin/ifconfig $intf`; + if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) { + $thpaddr = $1 + } + } } # Since our SIDs are hex concatanations of unix time in seconds & microseconds, @@ -67,7 +71,28 @@ if ($svcname) { $sid="$sid.$svcname"} - $sesslog="$logdir/$sid"; + if ( -d "$logdir" ) { + $sesslog="$logdir/$sid"; + } else { + $now = strftime "%a %b %e %H:%M:%S %Y", localtime; + print ERRLOG "$now\tCannot create session directory since $logdir is not a valid directory.\n"; + closeout(); +# Unfortunatly, we should break at this point since we cannot log the +# connections. + exit(1); + } + +# TODO: Consider using the following code (to separate per address, maybe +# as an option?) +# (from simple honeypot) +# if ( -d "$logdir/$saddr"){ +# $sesslog="$logdir/$saddr/$sid"; +# } else { +#TODO: this should check if $saddr is safe before doing this +# `mkdir $logdir/$saddr`; +# $sesslog="$logdir/$saddr/$sid"; +# } + if ($logtype eq "single") { @capdata = ((strftime("%b %d %T", localtime(time))), ("SID=$sid"), ("PID=$procid"), ("SRC=$saddr"), ("SPT=$sport")); --- thp-0.4.6.orig/lib/shell.pl +++ thp-0.4.6/lib/shell.pl @@ -1,5 +1,8 @@ +use POSIX qw(strftime); + sub shell { $thpath = "$homedir"; + my $lsfile = "/usr/share/thpot/ls.txt"; if ($thpath =~ m/^.*\/([^\/]+)/){ $pathsuffix = $1; } @@ -7,11 +10,14 @@ $shortname = $1; } $prompt = "[root\@${shortname} ${pathsuffix}]# "; - open(GREETING, "$greetbin|"); - while() { - print STDERR $_; + if ( $greeting ne "" ) { + #TODO: This should check wether or not the command succeeds! + open(GREETING, "$greetbin|"); + while() { + print STDERR $_; + } + close(GREETING); } - close(GREETING); print STDERR "$prompt"; @@ -51,13 +57,26 @@ close(LOG); return; - } + } elsif ($command[0] =~ /\bls\b/) { + if ( -f "$lsfile" ) { + open (LS,"<$lsfile"); + while (){ + print STDERR $_; + } + close(LS); + } else { + $DATE = strftime "%a %b %e %H:%M:%S %Y", localtime; + print ERRLOG "$DATE\tCannot find directory listing (in file $lsfil + e)\n"; + print STDERR "ls: $commands[1]: No such file or directory\n;" + } } print STDERR "$prompt"; } } +} - sub changedir{ +sub changedir{ $elements = $_[0] or $elements = "$homedir"; if ($elements =~ /^\/.*/){ $elements =~ s/\///; @@ -80,8 +99,10 @@ $pathsuffix = "/" unless $pathsuffix; $prompt = "[root\@$shortname $pathsuffix]# "; } - sub hostname{ - } + +sub hostname{ + +} %shellhash = ( uname => { --- thp-0.4.6.orig/lib/catchall.pl +++ thp-0.4.6/lib/catchall.pl @@ -2,11 +2,14 @@ $ENV{'PATH'} = '/bin:/usr/bin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; - open(GREETING, "$greetbin|"); - while() { - print STDERR $_; + if ( $greeting != "" ) { +#TODO: This should check wether or not the command succeeds! + open(GREETING, "$greetbin|"); + while() { + print STDERR $_; + } + close(GREETING); } - close(GREETING); print STDERR "$prompt"; --- thp-0.4.6.orig/lib/pop3.pl +++ thp-0.4.6/lib/pop3.pl @@ -0,0 +1,53 @@ + +use POSIX qw(strftime); + +sub pop3 { + %pop3hash = ( + dele => "-ERR Incorrect command sequence\x0d\x0a", + list => "-ERR Incorrect command sequence\x0d\x0a", + noop => "-ERR Incorrect command sequence\x0d\x0a", + pass => "-ERR Unknown user or incorrect password\x0d\x0a", + quit => "+OK $hostname.$domain closing connection\x0d\x0a", + retr => "-ERR Incorrect command sequence\x0d\x0a", + rset => "-ERR Incorrect command sequence\x0d\x0a", + stat => "-ERR Incorrect command sequence\x0d\x0a", + top => "-ERR Incorrect command sequence\x0d\x0a", + user => "OK $commands[1] \x0d\x0a", + usernull => "-ERR Parameters required\x0d\x0a" + ); + my $DATE = strftime "%a %b %e %H:%M:%S %Y", localtime; + chomp $DATE; + print STDERR "+OK $hostname.$domain $pop3ver, $DATE -0500 <20020904175615@$hostname.domain>\x0d\x0a\r"; + while (my $commands = ) { + open(LOG, ">>$sesslog"); + print LOG $commands; + chomp $commands; + $commands =~ s/\r//; + @commands=split /\s+/,($commands); + if ($commands[0] =~ /dele|list|noop|retr|rset|stat|top/i) { + print STDERR $pop3hash{$commands[0]}; + sleep 5; + } + elsif($commands[0] =~ /quit/i) { + print STDERR $pop3hash{quit}; + return; + } + elsif($commands[0] =~ /pass/i) { + sleep 3; + print STDERR $pop3hash{pass}; + } + elsif($commands[0] =~ /user/i) { + if($commands[1] eq ''){ + print STDERR $pop3hash{usernull}; + } + else{ + print STDERR "OK $commands[1] \x0d\x0a"; +# print STDERR $pop3hash{user}; + } + } + else { + print STDERR "-ERR Command unrecognized: \"$commands\" \x0d\x0a"; + } + } + close LOG; +} --- thp-0.4.6.orig/lib/smtptab +++ thp-0.4.6/lib/smtptab @@ -21,6 +21,4 @@ fwait HELO /^helo / fwait n $smtp{err503} fwait MAIL FROM: /^mail from: .{256,}/i fwait n $smtp{err553} fwait MAIL FROM: /^mail from: [[:alnum:]]+\x40[[:alnum:]]+/i fwait $smtp{mail} $rpath = $commands[2] - - data . /^\.$/ fwait n $smtp{qwait} --- thp-0.4.6.orig/lib/http.pl +++ thp-0.4.6/lib/http.pl @@ -9,25 +9,45 @@ # sub http { - + my $lcount=0; + open(LOG, ">>$sesslog"); + select LOG; while (my $commands = ) { - open(LOG, ">>$sesslog"); - select LOG; $|=1; print LOG $commands; $lcount++; + last if $lcount > 2; $commands =~ s/\r//; my $commline = "line$lcount"; @$commline = split /\s+/,($commands); + # Sane defaults, in case the user has not configured them + if ( ! defined ( $httpdvend ) ) { + $httpdvend = "Microsoft-IIS"; + $httpdver = "5.0"; + } + # TODO: this should maybe check which httpdvend is defined and + # take a version based on what we have available in respdir + if ( ! defined ( $httpdver ) ) { + $httpdvend = "Microsoft-IIS"; + $httpdver = "5.0"; + } # Should we change labels? If selected in thp.conf, and the intruder is # looking for common Microsoft-IIS resources, this will change the httpd # vendor & version to accomodate them. + if ($line1[1] =~ /(pagerror.gif|\.asp|\.exe|\.htr|\.htx|\.htw|\.com\.dll|\.ida)[$\?%+]?/ && $chameleon eq "yes") { ($httpdvend, $httpdver) = ("Microsoft-IIS", "$chamelver"); } $respdir = "$thpdir/lib/$httpdvend"; + if ( ! -d $respdir ) { + print ERRLOG "$DATE\tCannot open response files for the response dir ($respdir) since it is not a directory.\n"; + # TODO: At this point we should break since we will not be able to provide + # the files, it could be, however, improved to return a standard 404? + closeout(); + exit(1); + } # Has the intruder specified an HTTP version in their request? If not, # the session closes with an error - see err400() @@ -35,8 +55,9 @@ $method = $line1[0]; $resname = $line1[1]; $resname =~ s/^.*\///; + # The default, if not defined in the header + $protover = "HTTP/1.1"; $protover = "$line1[2]" if ($line1[2] =~ /HTTP\/1.[01]$/); - if ($commands =~ /^$/m) { # Check for an acceptable http method. If fatfingered or otherwise unknown, @@ -47,7 +68,6 @@ if ($method !~ /GET|POST|HEAD/ ) { http_hdr("501","Bad Method","text/html"); err501(); - exit 0; # Is the URL too long? Feel free to monkey with this, or ditch it. This # tests the entire URI, not just resource filename. @@ -55,7 +75,6 @@ } elsif ( length($line1[1]) > 255 ) { http_hdr("414","Request-URI Too Large","text/html"); err414(); - exit 0; # Match on resource name. We allow "/" and "index.htm" and "index.html". All # of these will return the content in lib//200. The return headers @@ -75,7 +94,6 @@ } close RESP; print STDERR ($_, "\x0d\x0a"); - exit 0; # If the vendor is IIS and the request contains common default resource # names, this returns the same lib//200 @@ -90,7 +108,6 @@ } close RESP; print STDERR ($_, "\x0d\x0a"); - exit 0; # Here is the text catchall, setting a mimetype of /text/html. @@ -103,7 +120,6 @@ } close RESP; print STDERR "\x0d\x0a\x0d\x0a"; - exit 0; # If the request is for an image, strip off the path and pull it out of # the same lib// directory, modifying the mime type accordingly. @@ -117,15 +133,12 @@ } close RESP; print STDERR "\x0d\x0a\x0d\x0a"; - exit 0; - } else { http_hdr("400","Bad Request","text/html"); err400() } - exit 0; } - close LOG; } + close LOG; } sub http_hdr { --- thp-0.4.6.orig/lib/smtp.pl +++ thp-0.4.6/lib/smtp.pl @@ -1,12 +1,19 @@ sub smtp { + $saidhelo = 0; + $saidmail = 0; $now = strftime("%a, %B %d %Y %T GMT", gmtime(time)); -open (HTAB, "$thpdir/lib/smtptab"); -my @keys = qw( +open (HTAB, "$thpdir/lib/smtptab") ; +if ( $? ne 0 ) { + print ERRORLOG "$now\tCannot open smtptab in $thpdir: $!\n"; + closeout(); +} + +my @keys = qq( state Command - regex + regex newstate continue response @@ -21,7 +28,6 @@ $cnt++; $strcnt = sprintf (qq(%0.2d), $cnt); @_ = split(/\t/, $_, 7); - foreach $key (@keys){ $rules{"$strcnt$key"} = shift @_; } @@ -34,8 +40,8 @@ close HTAB; -%smtp = ( - start => "220 $hostname.$domain ESMTP Sendmail 8.11.2/8.11.2; $now\x0d\x0a", +%smtphash = ( + start => "220 $hostname.$domain $smtpver; $now\x0d\x0a", helo => "250 $hostname.$domain Hello $dom [$saddr], pleased to meet you\x0d\x0a", err501 => "501 5.0.0 Invalid domain name\x0d\x0a", ehlo => qq (250 $hostname.$domain Hello $dom [$saddr], pleased to meet you @@ -68,7 +74,7 @@ 214-2.0.0 STARTTLS 214-2.0.0 For more info use "HELP ". 214-2.0.0 To report bugs in the implementation send email to -214-2.0.0 sendmail-bugs@sendmail.org. +214-2.0.0 sendmail-bugs\@sendmail.org. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info\x0d\x0a), ehlohlp => qq (214-2.0.0 EHLO @@ -97,9 +103,52 @@ quit => qq (221 2.0.0 $hostname.$domain closing connection\x0d\x0a) ); - $login = 0; + + print STDERR $smtphash{start}; while (my $commands = ) { +%smtphash = ( + auth => "503 AUTH mechanism not available.\x0d\x0a", + badrcpt => "503 5.0.0 Need MAIL before RCPT\x0d\x0a", + badhelo => "503 5.0.0 Polite people say HELO first\x0d\x0a", + data => "354 Enter mail, end with \"\.\" on a line by itself\x0d\x0a", + dataerr => "503 5.0.0 Need MAIL command\x0d\x0a", + datasent => "250 2.0.0 g8684xUD014698 Message accepted for delivery\x0d\x0a", + ehloout => "501 5.0.0 helo requires domain address.\x0d\x0a", + err => "500 5.5.1 Command unrecognized: $commands\x0d\x0a", + etrn => "500 5.5.2 Parameter required\x0d\x0a", + expn => "502 5.7.0 Sorry, we do not allow this operation.\x0d\x0a", + heloerr => "501 5.0.0 Invalid domain name\x0d\x0a", + heloout => "501 5.0.0 helo requires domain address.\x0d\x0a", + heloin => "250 $hostname.$domain Hello $commands[1], pleased to meet you.\x0d\x0a", + mailfrom => "553 5.5.4 $commands[1]... Domain name required for sender address $commands[1]\x0d\x0a", + mailto => "250 2.1.0 $maildata... Sender ok\x0d\x0a", + mail => "501 5.5.2 Syntax error in parameters scanning \"$commands[1]\"\x0d\x0a", + noop => "250 2.0.0 OK.\x0d\x0a", + quit => "220 2.0.0 $hostname.$domain closing connection..\x0d\x0a", + rcptto => "250 2.1.5 $commands[2]... Recipient ok\x0d\x0a", + reset => "250 2.0.0 Reset state.\x0d\x0a", + rset => "250 2.0.0 Reset state\x0d\x0a", + starttls => "454 4.3.3 TLS not available after start..\x0d\x0a", + vrfy => "252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger).\x0d\x0a", + help => qq(214-2.0.0 $smtpver +214-2.0.0 Topics: +214-2.0.0 HELO EHLO MAIL RCPT DATA +214-2.0.0 RSET NOOP QUIT HELP VRFY +214-2.0.0 EXPN VERB ETRN DSN AUTH +214-2.0.0 STARTTLS +214-2.0.0 For more info use \"HELP \". +214-2.0.0 For local information send email to Postmaster at your site. +214 2.0.0 End of HELP info.\x0d\x0a), + ehlo => "250-ENHANCEDSTATUSCODES +250-8BITMIME +250-SIZE +250-DSN +250-ONEX +250-ETRN +250-XUSR +250 HELP.)\x0d\x0a", + ); open(LOG, ">>$sesslog"); print LOG $commands; select LOG; @@ -107,65 +156,85 @@ chomp $commands; $commands =~ s/\r//; @commands=split /\s+/,($commands); - - if ($commands[0] =~ /user/i && $commands[1] =~ /[[:alnum:]]+/){ - if ($login == 1) { - print STDERR $ftphash{already}; - } else { - $ftpuser = $commands[1]; - $ftphash{user} =~ s/anon/$ftpuser/; - $ftphash{pass} =~ s/anon/$ftpuser/; - print STDERR $ftphash{user}; - } - - } elsif ($commands[0] =~ /pass/i && $commands[1] =~ /[[:print:]]+/) { - if ($login == 1) { - print STDERR $ftphash{already}; - } else { - if ($ftpuser) { - $login = 1; - print STDERR $ftphash{pass}; - } - } - - } elsif ($commands[0] =~ /list|retr|stor/i) { - if ($login == 1) { - $commands[0] =~ tr/A-Z/a-z/; - print STDERR $ftphash{$commands[0]}; - sleep 1; - print STDERR $ftphash{compl}; - } else { - print STDERR $ftphash{nologin}; - } - - } elsif ($commands[0] =~ /help|pasv|port|pwd|syst|rnfr|rnto|mkd|cwd|cdup|type/i) { - if ($login == 1) { - $commands[0] =~ tr/A-Z/a-z/; - print STDERR $ftphash{$commands[0]}; - } else { - print STDERR $ftphash{nologin}; - } - - } elsif ("$commands" =~ /\bsite help\b/i) { - if ($login == 1) { - $commands =~ tr/A-Z/a-z/; - print STDERR $ftphash{"$commands"}; - } else { - print STDERR $ftphash{nologin}; - } - - } elsif ($commands[0] =~ /exit\b|quit\b/i) { - print STDERR $ftphash{quit}; - return; - - } else { - if ($login == 1) { - print STDERR "500 @commands: command not understood.\x0d\x0a"; - } else { - print STDERR $ftphash{nologin}; - } + if ($commands[0] =~ /helo/i){ + if($commands[1] eq ''){ + print STDERR $smtphash{heloout}; + }elsif($commands[1] =~ /[\!\@\#\$\%\^&\*\(\)\|\\,>?\/\"\':;\{\}]/) { + print STDERR $smtphash{heloerr}; + }else{ + print STDERR $smtphash{heloin}; + $saidhelo = 1; + } + } + elsif ($commands[0] =~ /help|reset|noop|auth|starttls|vrfy|expn|etrn|rset/i) { + $commands[0] =~ tr/A-Z/a-z/; + print STDERR $smtphash{$commands[0]}; + sleep 1; + } + elsif($commands[0] =~ /ehlo/i){ + if($commands[1] eq ''){ + print STDERR $smtphash{ehloout}; + }else{ + print STDERR $smtphash{heloin}; + print STDERR $smtphash{ehlo}; + $saidhelo = 1; + } + } + elsif($commands[0] =~ /exit\b|quit\b/i) { + print STDERR $smtphash{quit}; + return; + } + elsif($commands[0] =~ /mail/i) { + $maildata = $commands[2]; + if($commands[2] eq '') { + $maildata = $commands[1]; + if ($commands[1] =~ m@.*from:<(.*)>@i) { + $maildata = $1; + } + } + if($saidhelo == 0) { + print STDERR $smtphash{badhelo}; + }elsif($commands[1] =~ /from:/i) { + if($commands[2] =~ /\@/ || $commands[1]=~ /\@/) { + $saidmail = 1; + print STDERR "250 2.1.0 $maildata... Sender ok\x0d\x0a"; + }else{ + print STDERR "553 5.5.4 $maildata... Domain name required for sender address $maildata\x0d\x0a"; + } + }elsif($saidhelo == 1) { + print STDERR $smtphash{mail}; + } + } + elsif($commands[0] =~ /rcpt/i) { + $maildata = $commands[2]; + if ($commands[1] =~ m@.*to:<(.*)>@i || $commands[2] =~ m@<(.*)>@ ) { + $maildata = $1; + } + if($saidmail == 0) { + print STDERR $smtphash{badrcpt}; + }else{ + if($commands[1] =~ /to:/i && $maildata ne '' ) { + print STDERR "250 2.1.5 $maildata... Recipient ok\x0d\x0a"; + }else{ + print STDERR $smtphash{mail}; + } + } + } + elsif($commands[0] =~ /data/i) { + if($saidmail == 1) { + print STDERR $smtphash{data}; + while () { + last if /^\.\x0d$/; + } + print STDERR $smtphash{datasent}; + }else{ + print STDERR $smtphash{dataerr}; + } + } + else { + print STDERR $smtphash{err}; + } + close LOG; } - close LOG; - } -} +}