Following is a good script to check nobody process other than those listed
in the script. If you could set it up every 2 minutes, it will check and nofity you if somebody runs a script in nobody
ownership.
=============================================================
#!/usr/bin/perl
$inc = 0;
$found = 0;
@allows =
("httpd","melange","entropychat","apachewrap","mysqlwrap","postgreswrap","spamd","CMD","
getinfo.cgi","host","proftpd");
require("/root/notify.pl");
open(PSNOBODY,"/bin/ps -u nobody |");
foreach $line (<PSNOBODY>) {
chomp($line);
$line =~ s/ //g;
($pid,$boop,$proc1,$proc2) = split(/ /,$line);
if ($proc1 =~ /00/) { $proc = $proc2; }
else { $proc = $proc1; $time = $boop; }
$time =~ s/\D+//g;
$inc++;
$ppass = 0;
foreach $allow (@allows) { if ($proc eq $allow) { $ppass = 1; } }
if (($proc ne "CMD" && $ppass == 0))
{
$found++;
if ($pid eq "") { $pid = $boop; }
print "checking $proc ($pid)..\n";
open(ENV,"cat /proc/$pid/environ " . ' | tr "\000" "\n" | grep -E
"PWD|OLDPWD|SSH_CLIENT" |');
foreach $line (<ENV>) { chomp($line); $environ .= "$line<br>\n"; }
close(ENV);
push(@results,"PID: $pid<br>\nName: $proc<br>\nPossible Env
Vars:<br>\n$environ<br>\n<hr width=\"100%\"><br>\n");
system("/bin/kill -9 $pid 2> /dev/null");
}
}
if ($found != 0) { $subject = "nobody management (found $found) ";
notify(); }
close(PSNOBODY);
==============================================================
the notify.pl script could be the following :
==============================================================
$email = "sanju@mycutelife.net";
sub notify()
{
$cdate = localtime(time);
$hostname = $ENV{'HOSTNAME'};
open(MAIL, "| /usr/sbin/exim $email");
print MAIL "To: $email\n";
print MAIL "From: alerts\@stormwire.com\n";
print MAIL "Subject: $hostname] $subject\n";
print MAIL <<ENDBODY;
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html>
<font>
<b>Time: $cdate</b><br>
<b>Hostname: $hostname</b><br>
<hr width="100%"><br>@results<br>
<hr width="100%"><br>
</font>
</html>
ENDBODY
print MAIL "\n.\n\n";
close(MAIL);
}