-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_ports.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef WIN32
-
+
#include "shared.h"
#include "rootcheck.h"
#define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\
"cut -d ':' -f 2 | cut -d ' ' -f 1"
#define NETSTAT "netstat -an | grep \"^%s\" | " \
- "grep \"[^0-9]%d \" > /dev/null 2>&1"
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
#endif
#ifndef NETSTAT
int run_netstat(int proto, int port)
{
+ int ret;
char nt[OS_SIZE_1024 +1];
if(proto == IPPROTO_TCP)
return(0);
}
- if(system(nt) == 0)
+ ret = system(nt);
+
+ if(ret == 0)
return(1);
-
- return(0);
+
+ else if(ret == 1)
+ {
+ return(0);
+ }
+
+ return(1);
}
server.sin_port = htons( port );
server.sin_addr.s_addr = htonl(INADDR_ANY);
-
+
/* If we can't bind, it means the port is open */
if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
{
{
total_ports_udp[port] = rc;
}
-
- close(ossock);
- return(rc);
+ close(ossock);
+
+ return(rc);
}
if(run_netstat(proto, i))
{
continue;
-
+
#ifdef OSSECHIDS
sleep(2);
#endif
snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
"Kernel-level rootkit or trojaned "
- "version of netstat.", i,
+ "version of netstat.", i,
(proto == IPPROTO_UDP)? "udp" : "tcp");
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
total_ports_udp[i] = 0;
i++;
}
-
- /* Trsting TCP ports */
+
+ /* Trsting TCP ports */
test_ports(IPPROTO_TCP, &_errors, &_total);
/* Testing UDP ports */
" Analyzed %d ports.", _total);
notify_rk(ALERT_OK, op_msg);
}
-
+
return;
}
projects / ossec-hids.git / blobdiff