I am a newbie to linux. But I am very willing to learn.
I had a question from a guy on how to write a script in linux that searches for eggdrops. I would like to give him a good answer. Some of the problem is that I for the moment dont have a linux machine. But I would appreciate some suggestions on how to learn how to write scripts, and how to search for eggdrops.

I guess its kinda hard to search for a already compiled binary. So, if I would guess, are there any user logs on commands. And if so, is it possible then to search these logs to see if the eggdrop binary have been compiled and executed?

Sure. But anyone who's interested in keeping it a secret would just rename it to something innocuous. I'll admit that I don't know much about eggdrops (I was never much into IRC), but it seems to me that the correct way would be to see what the program's doing. It would have to attach to an IRC port, right? In that case, I'd use lsof to see what processes are using that port.

sure.... thats one way to do it.

Allthough.... as I think the intention was.... He wanted a script thats pretty simple. And searches just for an eggdrop script start.
Allthough, I´ll tell him about your idea. Didnt know i could list proccesses over ports... thanks!

To be more precise, most Unices do have accounting facilities that will record the name of every process that's run. These are not usually (never?) turned on by default.

The problem with this is that all it really records is the name of the process. Assuming that the user is intending to be sneaky, he's likely to rename the process ``ls'' or ``pine'' or ``top'' or ``BitchX'' or something else that's not likely to draw attention, just so that it becomes more difficult to find it in process accounting or simple process listings.

The detectable thing that's closest to uniquely identifying it will be the TCP connection to an IRC server. Of course, then you have to do more investigation if the process name is ``BitchX'', as long as innocuous IRC is allowed.

If he's looking to prevent this sort of thing, he might want to make a different filesystem for users home directories and mount it ``noexec'', so that they can't run programs that they put on the system themselves. He'd probably want to make /tmp ``noexec'' as well.

thanks..... apperantly it was for a schoolproject. And he accepted your lsof tip.... Dont think thats its for an actual server. I guess the teacher just wanted a solution for how to check if there were any eggdrops.

Thanks for your help! most appreciated!



Do you have any good links to places were i can learn basic script and the linux c++ environment? I have been programming c++ for windows and dos and would like to learn also in linux.

Not really. Sorry.

I'm not a C++ programmer, so I can't really give you much information there. On an application level, though, it's likely to be fairly similar to DOS programming, unless you're trying to do graphics or something else very hardware/OS specific.

I've been writing shell scripts for over ten years, so I don't have a good tutorial for you there. What I can tell you is that you probably are talking about Bourne (sh) or Korn (ksh) shell scripting. They are the more common interactive user shells (like cmd.com or command.com in Windows), although there's another different one, C shell, and there are numerous others that are based on all of those (bash and zsh are the common Korn derivatives, and tcsh is the common C Shell derivative). Regardless, their syntaxes are mostly quite simple and their power lies in the ability to use other programs with them. This means that it's fairly difficult to learn shell scripting, as you have to really learn the concepts behind it well and then learn how to use a bunch of other programs.

That being said, some people also refer to some other things as shell scripting. These are usually the programming languages that don't require precompilation. That is, the file with source code is the same as the file you execute (or, at least, it appears that way). Common ones here are Perl, Python, and Tcl, but there are many others. They have little in common with each other (or Bourne, Korn, or C Shell) beyond the fact that they don't have to be compiled before they're run.