[root@Centos log]# wget
http://packetstorm.foofus.com/UNIX/logg ... og-1.0.tgz--2013-01-07 05:16:56--
http://packetstorm.foofus.com/UNIX/logg ... og-1.0.tgzResolving packetstorm.foofus.com... 64.71.188.242
Connecting to packetstorm.foofus.com|64.71.188.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 80240 (78K) [text/plain]
Saving to: `sh2log-1.0.tgz'
100%[=====================================================================================>] 80,240 57.2K/s in 1.4s
2013-01-07 05:16:58 (57.2 KB/s) - `sh2log-1.0.tgz' saved [80240/80240]
[root@Centos log]# tar xf sh2log-1.0.tgz
[root@Centos log]# cd sh2log-1.0
[root@Centos sh2log-1.0]#
编译选项
[root@Centos sh2log-1.0]# make
Please specify the target:
make linux
make freebsd
make openbsd
make cygwin
make sunos
make irix
make hpux
make aix
make osf
如下
[root@Centos sh2log-1.0]# make linux
gcc -g -W -Wall -o sh2log rc4.c sha1.c sh2log.c -lutil -DLINUX
gcc -g -W -Wall -o sh2logd rc4.c sha1.c sh2logd.c
gcc -g -W -Wall -o parser rc4.c sha1.c parser.c -lX11 -L/usr/X11R6/lib
parser.c:35:22: error: X11/Xlib.h: No such file or directory
parser.c: In function ‘main’:
parser.c:291: error: ‘Display’ undeclared (first use in this function)
parser.c:291: error: (Each undeclared identifier is reported only once
parser.c:291: error: for each function it appears in.)
parser.c:291: error: ‘dpi’ undeclared (first use in this function)
parser.c:292: error: ‘Window’ undeclared (first use in this function)
parser.c:292: error: expected ‘;’ before ‘wnd’
parser.c:293: error: ‘XWindowAttributes’ undeclared (first use in this function)
parser.c:293: error: expected ‘;’ before ‘xwa’
parser.c:515: warning: implicit declaration of function ‘XOpenDisplay’
parser.c:522: error: ‘wnd’ undeclared (first use in this function)
parser.c:524: warning: implicit declaration of function ‘XSetWindowBorderWidth’
parser.c:525: warning: implicit declaration of function ‘XSync’
parser.c:525: error: ‘False’ undeclared (first use in this function)
parser.c:526: warning: implicit declaration of function ‘XGetWindowAttributes’
parser.c:526: error: ‘xwa’ undeclared (first use in this function)
parser.c:714: warning: implicit declaration of function ‘XMoveResizeWindow’
parser.c:772: warning: implicit declaration of function ‘XCloseDisplay’
make: *** [linux] Error 1
错误:
parser.c:35:22: error: X11/Xlib.h: No such file or directory
安装X11
[root@Centos sh2log-1.0]# yum install libX11-devel
在编译
[root@Centos sh2log-1.0]# make linux
gcc -g -W -Wall -o sh2log rc4.c sha1.c sh2log.c -lutil -DLINUX
gcc -g -W -Wall -o sh2logd rc4.c sha1.c sh2logd.c
gcc -g -W -Wall -o parser rc4.c sha1.c parser.c -lX11 -L/usr/X11R6/lib
先删除演示
[root@Centos sh2log-1.0]# rm test.bin
配置
[root@Centos sh2log-1.0]# mkdir /bin/shells/
[root@Centos sh2log-1.0]# cp -p /bin/sh /bin/shells/
[root@Centos sh2log-1.0]# cp -p /bin/bash /bin/shells/
[root@Centos sh2log-1.0]# rm -rf /bin/sh /bin/bash
[root@Centos sh2log-1.0]# cp -p sh2log /bin/sh
[root@Centos sh2log-1.0]# cp -p sh2log /bin/bash
[root@Centos sh2log-1.0]# ./sh2logd
[root@Centos sh2log-1.0]# ps -ef | grep sh2logd
root 27151 1 0 05:24 ? 00:00:00 ./sh2logd
root 27175 26396 0 05:24 pts/3 00:00:00 grep sh2logd
[root@Centos sh2log-1.0]#
发现sh2logd 已经启动了 当前目录下生成了以时间命名的BIN文件
-rw------- 1 root root 0 Jan 7 05:24 sh2log-20130107-052402.bin
查看记录
先打开个终端操作以下
[root@Centos log]# bash
[root@Centos log]# ls -la
total 112
drwxr-xr-x 3 root root 4096 Jan 7 05:17 .
drwxrwxrwt 17 root root 4096 Jan 7 05:18 ..
drwxr-xr-x 2 root root 4096 Jan 7 05:24 sh2log-1.0
-rw-r--r-- 1 root root 80240 Nov 8 2006 sh2log-1.0.tgz
[root@Centos log]# pwd
/tmp/log
[root@Centos log]#
查看日志
[root@Centos sh2log-1.0]# ./parser sh2log-20130107-052402.bin
SID SOURCE IP UID PID START DATE END DATE DURATION
1 [127.0.0.1] 0 (27293) 07/01 05:25 | 07/01 05:25 X 03s
2 [127.0.0.1] 0 (27407) 07/01 05:26 | 07/01 05:26 X 02s
In interactive mode, use Enter to fast forward, Space to pause and q to quit.
Note that xterm is required for window resizing.
Session ID -> 2
Interactive mode (y/n) ? n
07/01 05:26:53 -> ls -la
07/01 05:26:53 -> pwd
登录
注册
FAQ