projects
/
ossec-hids.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Imported Upstream version 2.7
[ossec-hids.git]
/
src
/
rootcheck
/
check_rc_ports.c
diff --git
a/src/rootcheck/check_rc_ports.c
b/src/rootcheck/check_rc_ports.c
index
57cc3d5
..
d40356d
100755
(executable)
--- a/
src/rootcheck/check_rc_ports.c
+++ b/
src/rootcheck/check_rc_ports.c
@@
-1,17
+1,18
@@
-/* @(#) $Id: check_rc_ports.c,v 1.21 2009/06/24 18:53:07 dcid Exp $ */
+/* @(#) $Id: ./src/rootcheck/check_rc_ports.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
* Foundation
*/
-
+
#ifndef WIN32
#ifndef WIN32
-
+
#include "shared.h"
#include "rootcheck.h"
#include "shared.h"
#include "rootcheck.h"
@@
-30,7
+31,7
@@
#define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\
"cut -d ':' -f 2 | cut -d ' ' -f 1"
#define NETSTAT "netstat -an | grep \"^%s\" | " \
#define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\
"cut -d ':' -f 2 | cut -d ' ' -f 1"
#define NETSTAT "netstat -an | grep \"^%s\" | " \
- "grep \"[^0-9]%d \" > /dev/null 2>&1"
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
#endif
#ifndef NETSTAT
#endif
#ifndef NETSTAT
@@
-41,6
+42,7
@@
int run_netstat(int proto, int port)
{
int run_netstat(int proto, int port)
{
+ int ret;
char nt[OS_SIZE_1024 +1];
if(proto == IPPROTO_TCP)
char nt[OS_SIZE_1024 +1];
if(proto == IPPROTO_TCP)
@@
-53,10
+55,17
@@
int run_netstat(int proto, int port)
return(0);
}
return(0);
}
- if(system(nt) == 0)
+ ret = system(nt);
+
+ if(ret == 0)
return(1);
return(1);
-
- return(0);
+
+ else if(ret == 1)
+ {
+ return(0);
+ }
+
+ return(1);
}
}
@@
-83,7
+92,7
@@
int conn_port(int proto, int port)
server.sin_port = htons( port );
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = htons( port );
server.sin_addr.s_addr = htonl(INADDR_ANY);
-
+
/* If we can't bind, it means the port is open */
if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
{
/* If we can't bind, it means the port is open */
if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
{
@@
-99,10
+108,10
@@
int conn_port(int proto, int port)
{
total_ports_udp[port] = rc;
}
{
total_ports_udp[port] = rc;
}
-
- close(ossock);
- return(rc);
+ close(ossock);
+
+ return(rc);
}
}
@@
-121,7
+130,7
@@
void test_ports(int proto, int *_errors, int *_total)
if(run_netstat(proto, i))
{
continue;
if(run_netstat(proto, i))
{
continue;
-
+
#ifdef OSSECHIDS
sleep(2);
#endif
#ifdef OSSECHIDS
sleep(2);
#endif
@@
-140,7
+149,7
@@
void test_ports(int proto, int *_errors, int *_total)
snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
"Kernel-level rootkit or trojaned "
snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
"Kernel-level rootkit or trojaned "
- "version of netstat.", i,
+ "version of netstat.", i,
(proto == IPPROTO_UDP)? "udp" : "tcp");
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
(proto == IPPROTO_UDP)? "udp" : "tcp");
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
@@
-178,8
+187,8
@@
void check_rc_ports()
total_ports_udp[i] = 0;
i++;
}
total_ports_udp[i] = 0;
i++;
}
-
- /* Trsting TCP ports */
+
+ /* Trsting TCP ports */
test_ports(IPPROTO_TCP, &_errors, &_total);
/* Testing UDP ports */
test_ports(IPPROTO_TCP, &_errors, &_total);
/* Testing UDP ports */
@@
-193,7
+202,7
@@
void check_rc_ports()
" Analyzed %d ports.", _total);
notify_rk(ALERT_OK, op_msg);
}
" Analyzed %d ports.", _total);
notify_rk(ALERT_OK, op_msg);
}
-
+
return;
}
return;
}