1 /* @(#) $Id: ./src/rootcheck/check_rc_ports.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
17 #include "rootcheck.h"
20 #if defined(sun) || defined(__sun__)
21 #define NETSTAT "netstat -an -P %s | "\
22 "grep \"[^0-9]%d \" > /dev/null 2>&1"
26 #define NETSTAT "netstat -an -p %s | "\
31 #define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\
32 "cut -d ':' -f 2 | cut -d ' ' -f 1"
33 #define NETSTAT "netstat -an | grep \"^%s\" | " \
34 "grep \"[^0-9]%d \" > /dev/null 2>&1"
38 #define NETSTAT "netstat -an | grep \"^%s\" | " \
39 "grep \"[^0-9]%d \" > /dev/null 2>&1"
43 int run_netstat(int proto, int port)
46 char nt[OS_SIZE_1024 +1];
48 if(proto == IPPROTO_TCP)
49 snprintf(nt, OS_SIZE_1024, NETSTAT, "tcp", port);
50 else if(proto == IPPROTO_UDP)
51 snprintf(nt, OS_SIZE_1024, NETSTAT, "udp", port);
54 merror("%s: Netstat error (wrong protocol)", ARGV0);
72 int conn_port(int proto, int port)
76 struct sockaddr_in server;
78 if(proto == IPPROTO_UDP)
80 if((ossock = socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0)
83 else if(proto == IPPROTO_TCP)
85 if((ossock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)
90 memset(&server, 0, sizeof(server));
91 server.sin_family = AF_INET;
92 server.sin_port = htons( port );
93 server.sin_addr.s_addr = htonl(INADDR_ANY);
96 /* If we can't bind, it means the port is open */
97 if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
102 /* Setting if port is open or closed */
103 if(proto == IPPROTO_TCP)
105 total_ports_tcp[port] = rc;
109 total_ports_udp[port] = rc;
118 void test_ports(int proto, int *_errors, int *_total)
122 for(i = 0; i<= 65535; i++)
125 if(conn_port(proto, i))
127 /* Checking if we can find it using netstat, if not,
128 * check again to see if the port is still being used.
130 if(run_netstat(proto, i))
139 /* If we are being run by the ossec hids, sleep here (no rush) */
144 if(!run_netstat(proto, i) && conn_port(proto, i))
146 char op_msg[OS_SIZE_1024 +1];
150 snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
151 "Kernel-level rootkit or trojaned "
152 "version of netstat.", i,
153 (proto == IPPROTO_UDP)? "udp" : "tcp");
155 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
161 char op_msg[OS_SIZE_1024 +1];
162 snprintf(op_msg, OS_SIZE_1024, "Excessive number of '%s' ports "
163 "hidden. It maybe a false-positive or "
164 "something really bad is going on.",
165 (proto == IPPROTO_UDP)? "udp" : "tcp" );
166 notify_rk(ALERT_SYSTEM_CRIT, op_msg);
174 /* check_rc_ports: v0.1
177 void check_rc_ports()
186 total_ports_tcp[i] = 0;
187 total_ports_udp[i] = 0;
191 /* Trsting TCP ports */
192 test_ports(IPPROTO_TCP, &_errors, &_total);
194 /* Testing UDP ports */
195 test_ports(IPPROTO_UDP, &_errors, &_total);
199 char op_msg[OS_SIZE_1024 +1];
200 snprintf(op_msg,OS_SIZE_1024,"No kernel-level rootkit hiding any port."
201 "\n Netstat is acting correctly."
202 " Analyzed %d ports.", _total);
203 notify_rk(ALERT_OK, op_msg);
211 void check_rc_ports()