/*
	stasis.c - timestamp suspension tool - 01/00 by Mixter

   this ia a simple file monitoring tool that records the timestamp of
   files, then periodically finds atime/mtime changes and restores the
   old timestamps, as if the files were never accessed / changed.
   this shows that timestamp monitoring is not very foolproof, and can
   be used to fool some lame admins and script kiddies' atime/mtime scan
   based protection scripts for eggdrop tcl and other programs easily.

   compile with -DBSD if your system doesn't have working utime()...

   #include <std_disclaimer.h>
   #include <lame_advertisement.h>
   http://mixter.void.ru / http://mixtersecurity.tripod.com

*/

#define MINUTES_DELAY	3			/* delay between file scans */
#define LOGFILE		"/var/tmp/.s3kr1t"	/* optional to define */

#define	DELAY		MINUTES_DELAY * 60

#include <stdio.h>
#include <unistd.h>
#include <utime.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

#ifndef BSD				/* OS specific utime functions */
#include <stdlib.h>
#define UTIME_ENT struct utimbuf
#define UTIME_ATIME actime
#define UTIME_MTIME modtime
#define UTIME_F utime
#else
#include <malloc.h>
#include <sys/time.h>
#define UTIME_ENT struct timeval
#define UTIME_ATIME tv_sec
#define UTIME_MTIME tv_usec
#define UTIME_F utimes
#endif

#ifdef LOGFILE
void 
log (char *a, char *b)
{
  FILE *ph1le = fopen (LOGFILE, "a");
  fprintf (ph1le, "%s %s\n", a, b);
  fclose (ph1le);
}
#endif

struct fhash			/* filename / time association struct */
{
  char filename[255];
  UTIME_ENT timebuf;
  struct fhash *next;
}
 *fstart, *fcurr;

int 
main (int argc, char **argv)
{
  FILE *list;
  char buffer[512];
  struct stat statbuf;
  int counter = 0;

  fstart = malloc (sizeof (struct fhash));
  fstart->next = NULL;
  fcurr = fstart;

  if (argc != 2)
    {
    doh:
      fprintf (stderr, "Usage: %s <file list>\n", argv[0]);
      fprintf (stderr, "Make a file list by typing something like: find / -type -f > list.txt\n");
      exit (0);
    }

  if ((list = fopen (argv[1], "r")) == NULL)
    goto doh;

  /* read filename timestamps */
  while (fgets (buffer, 255, list) != NULL)
    {
      buffer[strlen(buffer)-1] = '\0';	/* pesky \n's */
      if (lstat (buffer, &statbuf) != 0)
	{
#ifdef LOGFILE
	  log ("ignoring non existant file: ", buffer);
#endif
	  continue;
	}
      strncpy (fcurr->filename, buffer, 254);
      fcurr->timebuf.UTIME_ATIME = statbuf.st_atime;
      fcurr->timebuf.UTIME_MTIME = statbuf.st_mtime;
      fcurr->next = malloc (sizeof (struct fhash));
      fcurr = fcurr->next;
      counter++;
    }

  free (fcurr->next);
  fcurr->next = NULL;

  printf ("Going into background, monitoring %d files\n", counter);

  if (fork())
    exit(0);

  /* comparison routine */
  while (1)
    {
      sleep (DELAY);
      for (fcurr = fstart; fcurr->next != NULL; fcurr = fcurr->next)
	{
	  if (lstat (fcurr->filename, &statbuf) != 0)
	    {
#ifdef LOGFILE
	      log ("file has been deleted: ", fcurr->filename);
#endif
	      continue;
	    }
	  if (fcurr->timebuf.UTIME_ATIME != statbuf.st_atime)
	    {
#ifdef LOGFILE
	      log ("atime change reverted: ", fcurr->filename);
#endif
	      UTIME_F (fcurr->filename, &fcurr->timebuf);
	    }
	  if (fcurr->timebuf.UTIME_MTIME != statbuf.st_mtime)
	    {
#ifdef LOGFILE
	      log ("mtime change reverted: ", fcurr->filename);
#endif
	      UTIME_F (fcurr->filename, &fcurr->timebuf);
	    }
	}
    }

return 0;
}