/usr/share/thpot/lib/thpfunc.pl is in tinyhoneypot 0.4.6-10.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | # /usr/local/thp/thpfunc.pl version 0.4.4
use POSIX qw(strftime);
# Functions for use in thp 0.4.x A component of the thp
# honeypot kit.
#
# Copyright George Bakos - alpinista@bigfoot.com
# July 15, 2002
# This is free software, released under the terms of the GNU General
# Public License avaiable at http://www.fsf.org/licenses/gpl.txt
sub getip {
$thpaddr = 0;
if ( $intf =~ /^\w+$/ ) {
$reply = `/sbin/ifconfig $intf`;
if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) {
$thpaddr = $1
}
}
}
# Since our SIDs are hex concatanations of unix time in seconds & microseconds,
# we need a way to pull hi-resolution timestamps. Otherwise, we settle for
# one-second accuracy, possibly leading to some mangled session logging.
# If Time::HiRes is available, our lives are easy. If not, lets see if the
# necessary headers are available for a gettimeofday() syscall. If that
# bombs too, we're stuck with plain ol' time. :-p
sub gettime {
if ( eval "require Time::HiRes" ) {
import Time::HiRes ;
my ($secs, $usecs) = Time::HiRes::gettimeofday();
$timestp = sprintf ("%.X%.X", ("$secs", "$usecs"));
$shorttime = $secs;
} elsif (eval "require 'sys/syscall.ph'") {
my $now = pack("LL", ());
syscall( &SYS_gettimeofday, $now, undef) >= 0
or die "gettimeofday: $!";
my($secs, $usecs) = unpack("LL", $now);
$timestp = sprintf ("%.X%.X", ("$secs", "$usecs"));
$shorttime = $secs;
} else {
$shorttime = $timestp = time();
}
}
# signal handlers
# Use a SIGALRM to limit time of execution of each script
# Since $sid is only used to label the caplog entry (once
# things get going) we can here add a comment to it and exit
# with a nonzero value.
# It's a bit of a kludge; please improve on this, folks.
sub closeout {
$sid = "$sid - timeout";
clcaplog();
close(CAPLOG);
exit 5;
}
$SIG{ALRM} = \&closeout;
# Here, we manage the caplog file, which tracks all sessions
sub opncaplog {
gettime();
$start = $shorttime;
$sid = $timestp;
if ($svcname) {
$sid="$sid.$svcname"}
if ( -d "$logdir" ) {
$sesslog="$logdir/$sid";
} else {
$now = strftime "%a %b %e %H:%M:%S %Y", localtime;
print ERRLOG "$now\tCannot create session directory since $logdir is not a valid directory.\n";
closeout();
# Unfortunatly, we should break at this point since we cannot log the
# connections.
exit(1);
}
# TODO: Consider using the following code (to separate per address, maybe
# as an option?)
# (from simple honeypot)
# if ( -d "$logdir/$saddr"){
# $sesslog="$logdir/$saddr/$sid";
# } else {
#TODO: this should check if $saddr is safe before doing this
# `mkdir $logdir/$saddr`;
# $sesslog="$logdir/$saddr/$sid";
# }
if ($logtype eq "single") {
@capdata = ((strftime("%b %d %T", localtime(time))), ("SID=$sid"), ("PID=$procid"), ("SRC=$saddr"), ("SPT=$sport"));
} else { print (CAPLOG "\n", strftime("%b %d %T", localtime(time)), " start thp SID $sid, UNIX pid $procid source $nsdata[4]\n");
}
}
sub clcaplog {
gettime();
$end = $shorttime;
$eltime = $end - $start;
if ($logtype ne "single") {
print CAPLOG strftime("%b %d %T", localtime(time)), " end thp SID $sid\n";
}
if ($eltime > 0) {
$etstr = (strftime("%T", gmtime($eltime)));
push (@capdata,("ET=$etstr"));
if ($logtype ne "single") {
print CAPLOG "\t- elapsed time ", $etstr, "\n";
}
}
if ($size=(-s $sesslog)) {
push (@capdata,("BYTES=$size"));
if ($logtype ne "single") {
print CAPLOG "\t- total $size bytes\n";
}
}
if ($logtype eq "single") {
print CAPLOG "@capdata\n";
}
}
|