Linux vps-61133.fhnet.fr 4.9.0-19-amd64 #1 SMP Debian 4.9.320-2 (2022-06-30) x86_64
Apache/2.4.25 (Debian)
Server IP : 93.113.207.21 & Your IP : 216.73.216.112
Domains :
Cant Read [ /etc/named.conf ]
User : www-data
Terminal
Auto Root
Create File
Create Folder
Localroot Suggester
Backdoor Destroyer
Readme
/
usr /
share /
logwatch /
scripts /
services /
Delete
Unzip
Name
Size
Permission
Date
Action
afpd
3.84
KB
-rwxr-xr-x
2017-01-21 17:44
amavis
176.48
KB
-rwxr-xr-x
2017-01-21 17:44
arpwatch
1.43
KB
-rwxr-xr-x
2017-01-21 17:44
audit
15.59
KB
-rwxr-xr-x
2017-01-21 17:44
automount
5.24
KB
-rwxr-xr-x
2017-01-21 17:44
autorpm
2.25
KB
-rwxr-xr-x
2017-01-21 17:44
barracuda
11.85
KB
-rwxr-xr-x
2017-01-21 17:44
bfd
2.2
KB
-rwxr-xr-x
2017-01-21 17:44
cisco
44.38
KB
-rwxr-xr-x
2016-07-26 19:43
citadel
58.58
KB
-rwxr-xr-x
2017-01-21 17:44
clam-update
6.93
KB
-rwxr-xr-x
2017-01-21 17:44
clamav
6.17
KB
-rwxr-xr-x
2017-01-21 17:44
clamav-milter
4.17
KB
-rwxr-xr-x
2017-01-21 17:44
courier
23.28
KB
-rwxr-xr-x
2017-01-21 17:44
cron
12.58
KB
-rwxr-xr-x
2017-01-21 17:44
denyhosts
1.75
KB
-rwxr-xr-x
2017-01-21 17:44
dhcpd
11
KB
-rwxr-xr-x
2017-01-21 17:44
dirsrv
4.85
KB
-rwxr-xr-x
2017-01-21 17:44
dnssec
4.99
KB
-rwxr-xr-x
2017-01-21 17:44
dovecot
24.72
KB
-rwxr-xr-x
2017-01-21 17:44
dpkg
3.21
KB
-rwxr-xr-x
2017-01-21 17:44
emerge
4.44
KB
-rwxr-xr-x
2017-01-21 17:44
evtapplication
5.92
KB
-rwxr-xr-x
2017-01-21 17:44
evtsecurity
12.7
KB
-rwxr-xr-x
2017-01-21 17:44
evtsystem
14.95
KB
-rwxr-xr-x
2017-01-21 17:44
exim
24.79
KB
-rwxr-xr-x
2017-01-21 17:44
eximstats
1.91
KB
-rwxr-xr-x
2017-01-21 17:44
extreme-networks
10.91
KB
-rwxr-xr-x
2017-01-21 17:44
fail2ban
9.98
KB
-rwxr-xr-x
2017-01-21 17:44
fetchmail
3.53
KB
-rwxr-xr-x
2017-01-21 17:44
freeradius
10.22
KB
-rwxr-xr-x
2017-01-21 17:44
ftpd-messages
7.67
KB
-rwxr-xr-x
2017-01-21 17:44
ftpd-xferlog
6.18
KB
-rwxr-xr-x
2017-01-21 17:44
http
23.73
KB
-rwxr-xr-x
2017-01-21 17:44
http-error
4.22
KB
-rwxr-xr-x
2016-07-26 19:43
identd
5.54
KB
-rwxr-xr-x
2017-01-21 17:44
imapd
11.15
KB
-rwxr-xr-x
2017-01-21 17:44
in.qpopper
4.84
KB
-rwxr-xr-x
2017-01-21 17:44
init
3.48
KB
-rwxr-xr-x
2017-01-21 17:44
ipop3d
4.08
KB
-rwxr-xr-x
2017-01-21 17:44
iptables
14.96
KB
-rwxr-xr-x
2017-01-21 17:44
kernel
10.56
KB
-rwxr-xr-x
2017-01-21 17:44
knockd
2.8
KB
-rwxr-xr-x
2017-01-21 17:44
lvm
3.12
KB
-rwxr-xr-x
2017-01-21 17:44
mailscanner
27.15
KB
-rwxr-xr-x
2017-01-21 17:44
mdadm
4.58
KB
-rwxr-xr-x
2017-01-21 17:44
mod_security2
7.82
KB
-rwxr-xr-x
2017-01-21 17:44
modprobe
4.17
KB
-rwxr-xr-x
2017-01-21 17:44
mountd
4.35
KB
-rwxr-xr-x
2017-01-21 17:44
mysql
4.52
KB
-rwxr-xr-x
2017-01-21 17:44
mysql-mmm
4.84
KB
-rwxr-xr-x
2017-01-21 17:44
named
31.26
KB
-rwxr-xr-x
2017-01-21 17:44
netopia
14.98
KB
-rwxr-xr-x
2017-01-21 17:44
netscreen
20.63
KB
-rwxr-xr-x
2017-01-21 17:44
oidentd
5.47
KB
-rwxr-xr-x
2017-01-21 17:44
omsa
2.59
KB
-rwxr-xr-x
2017-01-21 17:44
openvpn
13.68
KB
-rwxr-xr-x
2017-01-21 17:44
pam
1.86
KB
-rwxr-xr-x
2017-01-21 17:44
pam_pwdb
7.84
KB
-rwxr-xr-x
2017-01-21 17:44
pam_unix
16.03
KB
-rwxr-xr-x
2017-01-21 17:44
php
5.1
KB
-rwxr-xr-x
2017-01-21 17:44
pix
13.29
KB
-rwxr-xr-x
2017-01-21 17:44
pluto
11.97
KB
-rwxr-xr-x
2017-01-21 17:44
pop3
15.18
KB
-rwxr-xr-x
2017-01-21 17:44
portsentry
5
KB
-rwxr-xr-x
2017-01-21 17:44
postfix
241.59
KB
-rwxr-xr-x
2017-01-21 17:44
postgresql
5.39
KB
-rwxr-xr-x
2017-01-21 17:44
pound
3.52
KB
-rwxr-xr-x
2017-01-21 17:44
proftpd-messages
10.6
KB
-rwxr-xr-x
2017-01-21 17:44
puppet
10.37
KB
-rwxr-xr-x
2016-07-26 19:43
pureftpd
8.17
KB
-rwxr-xr-x
2017-01-21 17:44
qmail
5.73
KB
-rwxr-xr-x
2017-01-21 17:44
qmail-pop3d
4.43
KB
-rwxr-xr-x
2017-01-21 17:44
qmail-pop3ds
3.98
KB
-rwxr-xr-x
2017-01-21 17:44
qmail-send
19.63
KB
-rwxr-xr-x
2017-01-21 17:44
qmail-smtpd
56.05
KB
-rwxr-xr-x
2017-01-21 17:44
raid
1.73
KB
-rwxr-xr-x
2017-01-21 17:44
resolver
3.43
KB
-rwxr-xr-x
2017-01-21 17:44
rsnapshot
3.33
KB
-rwxr-xr-x
2017-01-21 17:44
rsyslogd
1.79
KB
-rwxr-xr-x
2016-07-26 19:43
rt314
4.43
KB
-rwxr-xr-x
2017-01-21 17:44
samba
25.63
KB
-rwxr-xr-x
2017-01-21 17:44
saslauthd
4.06
KB
-rwxr-xr-x
2017-01-21 17:44
scsi
3.34
KB
-rwxr-xr-x
2017-01-21 17:44
secure
41.04
KB
-rwxr-xr-x
2017-01-21 17:44
sendmail
92.27
KB
-rwxr-xr-x
2017-01-21 17:44
sendmail-largeboxes
2.51
KB
-rwxr-xr-x
2017-01-21 17:44
shaperd
5.64
KB
-rwxr-xr-x
2017-01-21 17:44
slon
4.61
KB
-rwxr-xr-x
2017-01-21 17:44
smartd
16.1
KB
-rwxr-xr-x
2017-01-21 17:44
sonicwall
25
KB
-rwxr-xr-x
2017-01-21 17:44
spamassassin
7.56
KB
-rwxr-xr-x
2016-07-26 19:43
sshd
30.98
KB
-rwxr-xr-x
2017-01-21 17:44
sshd2
2.02
KB
-rwxr-xr-x
2017-01-21 17:44
sssd
2.45
KB
-rwxr-xr-x
2017-01-21 17:44
stunnel
5.61
KB
-rwxr-xr-x
2016-07-26 19:43
sudo
6.01
KB
-rwxr-xr-x
2017-01-21 17:44
syslog-ng
20.61
KB
-rwxr-xr-x
2017-01-21 17:44
syslogd
1.98
KB
-rwxr-xr-x
2017-01-21 17:44
systemd
7.53
KB
-rwxr-xr-x
2017-01-21 17:44
tac_acc
4.12
KB
-rwxr-xr-x
2017-01-21 17:44
tivoli-smc
4.41
KB
-rwxr-xr-x
2016-07-26 19:43
up2date
4.79
KB
-rwxr-xr-x
2017-01-21 17:44
vdr
8.3
KB
-rwxr-xr-x
2017-01-21 17:44
vpopmail
3.48
KB
-rwxr-xr-x
2017-01-21 17:44
vsftpd
8.28
KB
-rwxr-xr-x
2017-01-21 17:44
windows
16.12
KB
-rwxr-xr-x
2017-01-21 17:44
xntpd
8.59
KB
-rwxr-xr-x
2017-01-21 17:44
yum
2.8
KB
-rwxr-xr-x
2017-01-21 17:44
zypp
2.48
KB
-rwxr-xr-x
2017-01-21 17:44
zz-disk_space
6.02
KB
-rwxr-xr-x
2017-01-21 17:44
zz-fortune
1.69
KB
-rwxr-xr-x
2017-01-21 17:44
zz-lm_sensors
1.82
KB
-rwxr-xr-x
2017-01-21 17:44
zz-network
12.79
KB
-rwxr-xr-x
2017-01-21 17:44
zz-runtime
1.66
KB
-rwxr-xr-x
2017-01-21 17:44
zz-sys
3.01
KB
-rwxr-xr-x
2017-01-21 17:44
zz-zfs
5.91
KB
-rwxr-xr-x
2017-01-21 17:44
Save
Rename
#!/usr/bin/perl # Process Windows security events logged to a server, using Snare Agent or # similar. ######################################################## ## Copyright (c) 2008-2014 Orion Poplawski ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; use URI::URL; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $SuccessAudits = 0; my %SuccessAuditUsers; my %FailureAudits; my %SuccessAudits; my %ClockSkew; my %UnknownUser; my %UnknownClient; my %BadPasswords; my %TicketExpired; my %AccountChanged; my %AccountCreated; my %AccountDeleted; my %AccountDisabled; my %AccountEnabled; my %AccountLocked; my %AuditPolicyChanged; my %ExpiredPassword; my %PasswordChanged; my %Logon; my %PrivilegedLogon; my %Logoff; my %WorkstationLocked; my %WorkstationUnlocked; my %OtherList; while (defined(my $ThisLine = <STDIN>)) { my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$CategoryString,$DataString,$ExpandedString,$Extra); #Determine format if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4 #Parse ($Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = ($ThisLine =~ /MSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/); } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3 #Parse ($Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = ($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/); } if (!defined($Hostname)) { print STDERR "Cannot parse $ThisLine"; next; } my $url = URI::URL->new("https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=$EventID"); if ($EventLogType eq "Success Audit") { if ($EventID == 4608 # Windows is starting up. (startups logged by evtsystem) or $EventID == 4673 # An operation was attempted on a privileged object. or $EventID == 4674 # An operation was attempted on a privileged object. # These are basically noise # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4674 or $EventID == 4688 # A new process has been created. or $EventID == 4689 # A process has exited. ) { # Ignore } elsif ($EventID == 4624 or $EventID == 4648) { $Logon{"$Hostname $UserName"}++; } elsif ($EventID == 4634 or $EventID == 4647) { $Logoff{"$Hostname $UserName"}++; } elsif ($EventID == 4672) { $PrivilegedLogon{"$Hostname $UserName"}++; } elsif ($EventID == 4719) { $AuditPolicyChanged{$Hostname}++; } elsif ($EventID == 4720) { $AccountCreated{$UserName}++; } elsif ($EventID == 4722) { $AccountEnabled{$UserName}++; } elsif ($EventID == 4723) { $PasswordChanged{$UserName}++; } elsif ($EventID == 4725) { $AccountDisabled{$UserName}++; } elsif ($EventID == 4726) { $AccountDeleted{$UserName}++; } elsif ($EventID == 4738 or $EventID == 4742) { $AccountChanged{$UserName}++; } elsif ($EventID == 4800) { $WorkstationLocked{"$Hostname $UserName"}++; } elsif ($EventID == 4801) { $WorkstationUnlocked{"$Hostname $UserName"}++; } else { $SuccessAudits++; $SuccessAuditUsers{$UserName}++; $SuccessAudits{"$Hostname $ExpandedString\n$url"}++; } } elsif ($EventLogType eq "Failure Audit") { if (my ($account,$domain,$reason) = ($ExpandedString =~ /^An account failed to log on\..*Account For Which Logon Failed:.*Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Failure Reason:\s+(.+)\s+Status:.*Sub Status:/)) { $FailureAudits{"$Hostname Log On Failure for $domain\\$account: $reason"}++; } elsif (my ($account,$domain,$process) = ($ExpandedString =~ /^A privileged service was called\..*Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Process Name:\s+(.+)\sService/)) { $FailureAudits{"$Hostname Privileged service called for $domain\\$account: $process"}++ if $Detail; } elsif ($EventID == 4674) { # These are basically noise # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4674 # An operation was attempted on a privileged object. } elsif ($EventID == 4768) { # A Kerberos authentication ticket (TGT) was requested my ($Account,$Realm,$Client,$FailureCode) = $ExpandedString =~ /Account Name:\s+(\S*)\s.*Supplied Realm Name:\s+(\S*)\s.*Client Address:\s+(\S+)\s.*Result Code:\s+(\w+)/; if ($FailureCode eq "0x6") { # Client not found in Kerberos database $UnknownClient{"$Account\\$Realm $Client"}++; } elsif ($FailureCode eq "0x17") { # Password has expired $ExpiredPassword{"$UserName"}++; } else { $FailureAudits{"$Hostname $ExpandedString\n$url"}++; } } elsif ($EventID == 4769) { # A Kerberos service ticket was requested my ($Client,$FailureCode) = $ExpandedString =~ /Client Address:\s+(\S+)\s.*Failure Code:\s+(\w+)/; #print STDERR "EventID=$EventID Client=$Client FailureCode=$FailureCode ExpandedString=$ExpandedString\n"; if ($FailureCode eq "0x20") { # Ticket expired $TicketExpired{$Client}++; } elsif ($FailureCode eq "0x25") { # Clock skew too great $ClockSkew{$Client}++; } else { $FailureAudits{"$Hostname $ExpandedString\n$url"}++; } } elsif ($EventID == 4771) { # Kerberos pre-authentication failed my ($Account,$Client,$FailureCode) = $ExpandedString =~ /Account Name:\s+(\S+)\s.*Client Address:\s+(\S+)\s.*Failure Code:\s+(\w+)/; if ($FailureCode eq "0x12") { #Clients credentials have been revoked Account disabled, expired, locked out, logon hours. $AccountLocked{"$Account $Client"}++; } elsif ($FailureCode eq "0x18") { #Pre-authentication information was invalid - bad password $BadPasswords{"$Account $Client"}++; } elsif ($FailureCode eq "0x25") { # Clock skew too great $ClockSkew{$Client}++; } else { $FailureAudits{"$Hostname $ExpandedString\n$url"}++; } } elsif ($EventID == 4776) { # The domain controller attempted to validate the credentials for an account my ($Account,$Client,$FailureCode) = $ExpandedString =~ /Logon Account:\s+(\S+)\s+Source Workstation:\s+(\S*)\s.*Error Code:\s+(\w+)/; if (lc($FailureCode) eq "0xc0000064") { # user name does not exist $UnknownUser{"$Account $Client"}++; } elsif (lc($FailureCode) eq "0xc000006a") { # user name is correct but the password is wrong $BadPasswords{"$Account $Client"}++; } elsif (lc($FailureCode) eq "0xc0000071") { # expired password $ExpiredPassword{"$Account $Client"}++; } elsif (lc($FailureCode) eq "0xc0000234") { # account locked $AccountLocked{"$UserName $Client"}++; } else { $FailureAudits{"$Hostname $ExpandedString\n$url"}++; } } else { $FailureAudits{"$Hostname $ExpandedString\n$url"}++; } } else { # Report any unmatched entries... chomp($ThisLine); $OtherList{$ThisLine}++; } } if (keys %ClockSkew) { print "\nClock skew too great\n"; foreach my $Client (sort keys %ClockSkew) { print " $Client : $ClockSkew{$Client} Times\n"; } } if (keys %AccountCreated) { print "\nAccount Created\n"; foreach my $Account (sort keys %AccountCreated) { print " $Account : $AccountCreated{$Account} Times\n"; } } if (keys %AccountDeleted) { print "\nAccount Deleted\n"; foreach my $Account (sort keys %AccountDeleted) { print " $Account : $AccountDeleted{$Account} Times\n"; } } if (keys %AccountDisabled) { print "\nAccount Disabled\n"; foreach my $Account (sort keys %AccountDisabled) { print " $Account : $AccountDisabled{$Account} Times\n"; } } if (keys %AccountEnabled) { print "\nAccount Enabled\n"; foreach my $Account (sort keys %AccountEnabled) { print " $Account : $AccountEnabled{$Account} Times\n"; } } if (keys %AccountChanged) { print "\nAccount Changed\n"; foreach my $Account (sort keys %AccountChanged) { print " $Account : $AccountChanged{$Account} Times\n"; } } if (keys %PasswordChanged) { print "\nPassword Changed\n"; foreach my $Account (sort keys %PasswordChanged) { print " $Account : $PasswordChanged{$Account} Times\n"; } } if (keys %AccountLocked) { print "\nAccount Locked\n"; foreach my $Account (sort keys %AccountLocked) { print " $Account : $AccountLocked{$Account} Times\n"; } } if (keys %ExpiredPassword) { print "\nPassword Expired\n"; foreach my $Account (sort keys %ExpiredPassword) { print " $Account : $ExpiredPassword{$Account} Times\n"; } } if (keys %UnknownUser) { print "\nUnknown Users\n"; foreach my $Account (sort keys %UnknownUser) { print " $Account : $UnknownUser{$Account} Times\n"; } } if (keys %UnknownClient) { print "\nUnknown Clients\n"; foreach my $Account (sort keys %UnknownClient) { print " $Account : $UnknownClient{$Account} Times\n"; } } if (keys %BadPasswords) { print "\nBad Passwords\n"; foreach my $Account (sort keys %BadPasswords) { print " $Account : $BadPasswords{$Account} Times\n"; } } if (keys %TicketExpired) { print "\nTicket Expired\n"; foreach my $Client (sort keys %TicketExpired) { print " $Client : $TicketExpired{$Client} Times\n"; } } if (keys %FailureAudits) { print "\nFailure Audits\n"; foreach my $Error (sort keys %FailureAudits) { print " $Error : $FailureAudits{$Error} Times\n"; } } if (keys %AuditPolicyChanged) { print "\nAudit Policy Changed\n"; foreach my $Hostname (sort keys %AuditPolicyChanged) { print " $Hostname : $AuditPolicyChanged{$Hostname} Times\n"; } } if ((keys %PrivilegedLogon) and ($Detail > 0)) { print "\nPrivileged Logons\n"; foreach my $User (sort keys %PrivilegedLogon) { print " $User : $PrivilegedLogon{$User} Times\n"; } } if (keys %Logon and ($Detail >= 5)) { print "\nLogons\n"; foreach my $User (sort keys %Logon) { print " $User : $Logon{$User} Times\n"; } } if (keys %Logoff and ($Detail >= 5)) { print "\nLogoffs\n"; foreach my $User (sort keys %Logoff) { print " $User : $Logoff{$User} Times\n"; } } if (keys %WorkstationLocked and ($Detail >= 10)) { print "\nWorkstaion Locked\n"; foreach my $User (sort keys %WorkstationLocked) { print " $User : $WorkstationLocked{$User} Times\n"; } } if (keys %WorkstationUnlocked and ($Detail >= 10)) { print "\nWorkstaion Unlocked\n"; foreach my $User (sort keys %WorkstationUnlocked) { print " $User : $WorkstationUnlocked{$User} Times\n"; } } if ($SuccessAudits and ($Detail >= 5) ) { print "\nSuccess Audits " . $SuccessAudits . " Time(s)\n"; foreach my $User (keys %SuccessAuditUsers) { print " $User : $SuccessAuditUsers{$User} Times\n"; } if ($Detail >= 10) { print "\nSuccess Audits\n"; foreach my $Error (sort keys %SuccessAudits) { print " $Error : $SuccessAudits{$Error} Times\n"; } } } if (keys %OtherList) { print "\n**** Unmatched entries ****\n"; foreach my $Error (keys %OtherList) { print " $Error : $OtherList{$Error} Times\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: