X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Frootcheck%2Fcheck_rc_pids.c;h=bd06f2d66904e97932b60c43fe98014783d3c61e;hp=a2868e33cf88516a6d1f9f27fbc1e90e3dcfb330;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/rootcheck/check_rc_pids.c b/src/rootcheck/check_rc_pids.c index a2868e3..bd06f2d 100755 --- a/src/rootcheck/check_rc_pids.c +++ b/src/rootcheck/check_rc_pids.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/rootcheck/check_rc_pids.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. @@ -26,7 +27,7 @@ int proc_read(int pid) if(noproc) return(0); - + snprintf(dir, OS_SIZE_1024, "%d", pid); if(isfile_ondir(dir, "/proc")) { @@ -47,15 +48,15 @@ int proc_chdir(int pid) if(noproc) return(0); - + if(!getcwd(curr_dir, OS_SIZE_1024)) { return(0); } - + if(chdir("/proc") == -1) - return(0); - + return(0); + snprintf(dir, OS_SIZE_1024, "/proc/%d", pid); if(chdir(dir) == 0) { @@ -64,8 +65,8 @@ int proc_chdir(int pid) /* Returning to the previous directory */ chdir(curr_dir); - - return(ret); + + return(ret); } @@ -75,12 +76,12 @@ int proc_chdir(int pid) int proc_stat(int pid) { char proc_dir[OS_SIZE_1024 + 1]; - + if(noproc) return(0); - + snprintf(proc_dir, OS_SIZE_1024, "%s/%d", "/proc", pid); - + if(is_file(proc_dir)) { return(1); @@ -105,21 +106,21 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) int _proc_stat = 0; int _proc_read = 0; int _proc_chdir = 0; - + pid_t i = 1; pid_t my_pid; char command[OS_SIZE_1024 +1]; my_pid = getpid(); - + for(;;i++) { if((i <= 0)||(i > max_pid)) break; (*_total)++; - + _kill0 = 0; _kill1 = 0; _gsid0 = 0; @@ -130,15 +131,15 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) _proc_stat = 0; _proc_read = 0; _proc_chdir = 0; - + /* kill test */ if(!((kill(i, 0) == -1)&&(errno == ESRCH))) { _kill0 = 1; } - - /* getsid to test */ + + /* getsid to test */ if(!((getsid(i) == -1)&&(errno == ESRCH))) { _gsid0 = 1; @@ -149,20 +150,20 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) { _gpid0 = 1; } - + /* proc stat */ _proc_stat = proc_stat(i); - + /* proc readdir */ _proc_read = proc_read(i); /* proc chdir */ - _proc_chdir = proc_chdir(i); - - + _proc_chdir = proc_chdir(i); + + /* IF PID does not exist, keep going */ - if(!_kill0 && !_gsid0 && !_gpid0 && + if(!_kill0 && !_gsid0 && !_gpid0 && !_proc_stat && !_proc_read && !_proc_chdir) { continue; @@ -173,8 +174,8 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) { continue; } - - /* Checking the number of errors */ + + /* Checking the number of errors */ if((*_errors) > 15) { char op_msg[OS_SIZE_1024 +1]; @@ -184,13 +185,13 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) notify_rk(ALERT_SYSTEM_CRIT, op_msg); return; } - - + + /* checking if process appears on ps */ if(*ps) { - snprintf(command, OS_SIZE_1024, "%s -p %d > /dev/null 2>&1", - ps, + snprintf(command, OS_SIZE_1024, "%s -p %d > /dev/null 2>&1", + ps, (int)i); /* Found PID on ps */ @@ -198,20 +199,20 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) if(system(command) == 0) _ps0 = 1; } - + /* If we are being run by the ossec hids, sleep here (no rush) */ #ifdef OSSECHIDS sleep(2); #endif - + /* Everyone returned ok */ if(_ps0 && _kill0 && _gsid0 && _gpid0 && _proc_stat && _proc_read) { continue; } - - - + + + /* If our kill or getsid system call, got the * PID , but ps didn't, we need to find if it was a problem * with a PID being deleted (not used anymore) @@ -221,7 +222,7 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) { _gsid1 = 1; } - + if(!((kill(i, 0) == -1)&&(errno == ESRCH))) { _kill1 = 1; @@ -231,14 +232,14 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) { _gpid1 = 1; } - + _proc_stat = proc_stat(i); - + _proc_read = proc_read(i); _proc_chdir = proc_chdir(i); - + /* If it matches, process was terminated */ if(!_gsid1 &&!_kill1 &&!_gpid1 &&!_proc_stat && !_proc_read &&!_proc_chdir) @@ -246,14 +247,14 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) continue; } } - + #ifdef AIX /* Ignoring AIX wait and sched programs. */ if((_gsid0 == _gsid1) && (_kill0 == _kill1) && (_gpid0 == _gpid1) && - (_ps0 == 1) && - (_gsid0 == 1) && + (_ps0 == 1) && + (_gsid0 == 1) && (_kill0 == 0)) { /* The wait and sched programs do not respond to kill 0. @@ -266,7 +267,7 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) } #endif - + if((_gsid0 == _gsid1)&& (_kill0 == _kill1)&& (_gsid0 != _kill0)) @@ -325,8 +326,8 @@ void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total) snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from " "ps. Possible trojaned version installed.", (int)i); - - notify_rk(ALERT_ROOTKIT_FOUND, op_msg); + + notify_rk(ALERT_ROOTKIT_FOUND, op_msg); (*_errors)++; } } @@ -341,16 +342,16 @@ void check_rc_pids() { int _total = 0; int _errors = 0; - + char ps[OS_SIZE_1024 +1]; - + char proc_0[] = "/proc"; char proc_1[] = "/proc/1"; pid_t max_pid = MAX_PID; noproc = 1; - + /* Checking where ps is */ memset(ps, '\0', OS_SIZE_1024 +1); strncpy(ps, "/bin/ps", OS_SIZE_1024); @@ -360,14 +361,14 @@ void check_rc_pids() if(!is_file(ps)) ps[0] = '\0'; } - - + + /* Proc is mounted */ if(is_file(proc_0) && is_file(proc_1)) { noproc = 0; } - + loop_all_pids(ps, max_pid, &_errors, &_total); if(_errors == 0) @@ -378,7 +379,7 @@ void check_rc_pids() "Analyzed %d processes.", ps, _total); notify_rk(ALERT_OK, op_msg); } - + return; }