1 /* @(#) $Id: ./src/rootcheck/check_rc_ports.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
17 #include "rootcheck.h"
20 #if defined(sun) || defined(__sun__)
21 #define NETSTAT "netstat -an -P %s | "\
22 "grep \"[^0-9]%d \" > /dev/null 2>&1"
26 #define NETSTAT "netstat -an -p %s | "\
31 #define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\
32 "cut -d ':' -f 2 | cut -d ' ' -f 1"
33 #define NETSTAT "netstat -an | grep \"^%s\" | " \
34 "grep \"[^0-9]%d \" > /dev/null 2>&1"
38 #define NETSTAT "netstat -an | grep \"^%s\" | " \
39 "grep \"[^0-9]%d \" > /dev/null 2>&1"
43 int run_netstat(int proto, int port)
46 char nt[OS_SIZE_1024 +1];
48 if(proto == IPPROTO_TCP)
49 snprintf(nt, OS_SIZE_1024, NETSTAT, "tcp", port);
50 else if(proto == IPPROTO_UDP)
51 snprintf(nt, OS_SIZE_1024, NETSTAT, "udp", port);
54 merror("%s: Netstat error (wrong protocol)", ARGV0);
72 int conn_port(int proto, int port)
76 struct sockaddr_in server;
78 if(proto == IPPROTO_UDP)
80 if((ossock = socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0)
83 else if(proto == IPPROTO_TCP)
85 if((ossock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)
93 memset(&server, 0, sizeof(server));
94 server.sin_family = AF_INET;
95 server.sin_port = htons( port );
96 server.sin_addr.s_addr = htonl(INADDR_ANY);
99 /* If we can't bind, it means the port is open */
100 if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
105 /* Setting if port is open or closed */
106 if(proto == IPPROTO_TCP)
108 total_ports_tcp[port] = rc;
112 total_ports_udp[port] = rc;
121 void test_ports(int proto, int *_errors, int *_total)
125 for(i = 0; i<= 65535; i++)
128 if(conn_port(proto, i))
130 /* Checking if we can find it using netstat, if not,
131 * check again to see if the port is still being used.
133 if(run_netstat(proto, i))
142 /* If we are being run by the ossec hids, sleep here (no rush) */
147 if(!run_netstat(proto, i) && conn_port(proto, i))
149 char op_msg[OS_SIZE_1024 +1];
153 snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
154 "Kernel-level rootkit or trojaned "
155 "version of netstat.", i,
156 (proto == IPPROTO_UDP)? "udp" : "tcp");
158 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
164 char op_msg[OS_SIZE_1024 +1];
165 snprintf(op_msg, OS_SIZE_1024, "Excessive number of '%s' ports "
166 "hidden. It maybe a false-positive or "
167 "something really bad is going on.",
168 (proto == IPPROTO_UDP)? "udp" : "tcp" );
169 notify_rk(ALERT_SYSTEM_CRIT, op_msg);
177 /* check_rc_ports: v0.1
180 void check_rc_ports()
189 total_ports_tcp[i] = 0;
190 total_ports_udp[i] = 0;
194 /* Trsting TCP ports */
195 test_ports(IPPROTO_TCP, &_errors, &_total);
197 /* Testing UDP ports */
198 test_ports(IPPROTO_UDP, &_errors, &_total);
202 char op_msg[OS_SIZE_1024 +1];
203 snprintf(op_msg,OS_SIZE_1024,"No kernel-level rootkit hiding any port."
204 "\n Netstat is acting correctly."
205 " Analyzed %d ports.", _total);
206 notify_rk(ALERT_OK, op_msg);
214 void check_rc_ports()