1 /* @(#) $Id: check_rc_sys.c,v 1.42 2009/09/29 19:52:25 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
14 #include "rootcheck.h"
25 int read_sys_dir(char *dir_name, int do_read);
27 int read_sys_file(char *file_name, int do_read)
35 /* Check for NTFS ADS on Windows */
36 os_check_ads(file_name);
40 if(lstat(file_name, &statbuf) < 0)
43 char op_msg[OS_SIZE_1024 +1];
44 snprintf(op_msg, OS_SIZE_1024, "Anomaly detected in file '%s'. "
45 "Hidden from stats, but showing up on readdir. "
46 "Possible kernel level rootkit.",
48 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
55 /* If directory, read the directory */
56 else if(S_ISDIR(statbuf.st_mode))
58 /* Making Darwin happy. for some reason,
59 * when I read /dev/fd, it goes forever on
60 * /dev/fd5, /dev/fd6, etc.. weird
62 if(strstr(file_name, "/dev/fd") != NULL)
65 /* Ignoring /proc directory (it has the size 0). */
66 if(statbuf.st_size == 0)
69 return(read_sys_dir(file_name, do_read));
72 /* Check if the size from stats is the same as when we
75 if(S_ISREG(statbuf.st_mode) && do_read)
77 char buf[OS_SIZE_1024];
80 unsigned long int total = 0;
82 fd = open(file_name, O_RDONLY, 0);
84 /* It may not necessarily open */
87 while ((nr = read(fd, buf, sizeof(buf))) > 0)
93 if(strcmp(file_name, "/dev/bus/usb/.usbfs/devices") == 0)
95 /* Ignore .usbfs/devices. */
98 else if(total != statbuf.st_size)
100 struct stat statbuf2;
102 if((lstat(file_name, &statbuf2) == 0) &&
103 (total != statbuf2.st_size) &&
104 (statbuf.st_size == statbuf2.st_size))
106 char op_msg[OS_SIZE_1024 +1];
107 snprintf(op_msg, OS_SIZE_1024, "Anomaly detected in file "
108 "'%s'. File size doesn't match what we found. "
109 "Possible kernel level rootkit.",
111 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
119 /* If has OTHER write and exec permission, alert */
121 if(((statbuf.st_mode & S_IWOTH) == S_IWOTH) &&
122 (S_ISREG(statbuf.st_mode)))
124 if((statbuf.st_mode & S_IXUSR) == S_IXUSR)
127 fprintf(_wx, "%s\n",file_name);
134 fprintf(_ww, "%s\n", file_name);
137 if(statbuf.st_uid == 0)
139 char op_msg[OS_SIZE_1024 +1];
141 snprintf(op_msg, OS_SIZE_1024, "File '%s' is owned by root "
142 "and has written permissions to anyone.",
145 snprintf(op_msg, OS_SIZE_1024, "File '%s' is: \n"
146 " - owned by root,\n"
147 " - has written permissions to anyone.",
150 notify_rk(ALERT_SYSTEM_CRIT, op_msg);
156 else if((statbuf.st_mode & S_ISUID) == S_ISUID)
159 fprintf(_suid,"%s\n", file_name);
169 int read_sys_dir(char *dir_name, int do_read)
172 unsigned int entry_count = 0;
176 struct dirent *entry;
180 char *(dirs_to_doread[]) = { "/bin", "/sbin", "/usr/bin",
181 "/usr/sbin", "/dev", "/etc",
185 if((dir_name == NULL)||(strlen(dir_name) > PATH_MAX))
187 merror("%s: Invalid directory given.",ARGV0);
192 /* Ignoring user-supplied list. */
195 while(rootcheck.ignore[i])
197 if(strcmp(dir_name, rootcheck.ignore[i]) == 0)
208 /* Getting the number of nodes. The total number on opendir
211 if(lstat(dir_name, &statbuf) < 0)
217 /* Currently device id */
218 if(did != statbuf.st_dev)
222 did = statbuf.st_dev;
226 if(!S_ISDIR(statbuf.st_mode))
233 /* Check if the do_read is valid for this directory */
234 while(dirs_to_doread[i])
236 if(strcmp(dir_name, dirs_to_doread[i]) == 0)
248 /* Opening the directory given */
249 dp = opendir(dir_name);
252 if((strcmp(dir_name, "") == 0)&&
264 /* Reading every entry in the directory */
265 while((entry = readdir(dp)) != NULL)
267 char f_name[PATH_MAX +2];
268 struct stat statbuf_local;
270 /* Just ignore . and .. */
271 if((strcmp(entry->d_name,".") == 0) ||
272 (strcmp(entry->d_name,"..") == 0))
278 /* Creating new file + path string */
279 if(strcmp(dir_name, "/") == 0)
281 snprintf(f_name, PATH_MAX +1, "/%s", entry->d_name);
285 snprintf(f_name, PATH_MAX +1, "%s/%s",dir_name, entry->d_name);
288 /* Checking if file is a directory */
289 if(lstat(f_name, &statbuf_local) == 0)
291 /* On all the systems, except darwin, the
292 * link count is only increased on directories.
295 if(S_ISDIR(statbuf_local.st_mode))
297 if(S_ISDIR(statbuf_local.st_mode) ||
298 S_ISREG(statbuf_local.st_mode) ||
299 S_ISLNK(statbuf_local.st_mode))
307 /* Checking every file against the rootkit database */
308 for(i = 0; i<= rk_sys_count; i++)
313 if(strcmp(rk_sys_file[i], entry->d_name) == 0)
315 char op_msg[OS_SIZE_1024 +1];
318 snprintf(op_msg, OS_SIZE_1024, "Rootkit '%s' detected "
319 "by the presence of file '%s/%s'.",
320 rk_sys_name[i], dir_name, rk_sys_file[i]);
322 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
327 if((strcmp(f_name, "/proc") == 0) || (strcmp(f_name, "/sys") == 0))
330 read_sys_file(f_name, do_read);
333 /* Entry count for directory different than the actual
334 * link count from stats.
336 if((entry_count != statbuf.st_nlink) &&
337 ((did_changed == 0) || ((entry_count + 1) != statbuf.st_nlink)))
340 struct stat statbuf2;
341 char op_msg[OS_SIZE_1024 +1];
344 if((lstat(dir_name, &statbuf2) == 0) &&
345 (statbuf2.st_nlink != entry_count))
347 snprintf(op_msg, OS_SIZE_1024, "Files hidden inside directory "
348 "'%s'. Link count does not match number of files "
350 dir_name, entry_count, (int)statbuf.st_nlink);
352 /* Solaris /boot is terrible :) */
354 if(strncmp(dir_name, "/boot", strlen("/boot")) != 0)
356 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
360 if(strncmp(dir_name, "/dev", strlen("/dev")) != 0)
362 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
366 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
381 /* check_rc_sys: v0.1
382 * Scan the whole filesystem looking for possible issues
384 void check_rc_sys(char *basedir)
386 char file_path[OS_SIZE_1024 +1];
388 debug1("%s: DEBUG: Starting on check_rc_sys", ARGV0);
392 did = 0; /* device id */
394 snprintf(file_path, OS_SIZE_1024, "%s", basedir);
397 /* Opening output files */
398 if(rootcheck.notify != QUEUE)
400 _wx = fopen("rootcheck-rw-rw-rw-.txt", "w");
401 _ww = fopen("rootcheck-rwxrwxrwx.txt", "w");
402 _suid=fopen("rootcheck-suid-files.txt", "w");
413 /* Scan the whole file system -- may be slow */
414 if(rootcheck.scanall)
417 snprintf(file_path, 3, "%s", "/");
420 read_sys_dir(file_path, rootcheck.readall);
424 /* Scan only specific directories */
430 char *(dirs_to_scan[]) = {"/bin", "/sbin", "/usr/bin",
431 "/usr/sbin", "/dev", "/lib",
432 "/etc", "/root", "/var/log",
433 "/var/mail", "/var/lib", "/var/www",
434 "/usr/lib", "/usr/include",
435 "/tmp", "/boot", "/usr/local",
436 "/var/tmp", "/sys", NULL};
439 char *(dirs_to_scan[]) = {"C:\\WINDOWS", "C:\\Program Files", NULL};
442 for(_i = 0; _i <= 24; _i++)
444 if(dirs_to_scan[_i] == NULL)
448 snprintf(file_path, OS_SIZE_1024, "%s%s",
451 read_sys_dir(file_path, rootcheck.readall);
454 read_sys_dir(dirs_to_scan[_i], rootcheck.readall);
462 char op_msg[OS_SIZE_1024 +1];
463 snprintf(op_msg, OS_SIZE_1024, "No problem found on the system."
464 " Analyzed %d files.", _sys_total);
465 notify_rk(ALERT_OK, op_msg);
468 else if(_wx && _ww && _suid)
470 char op_msg[OS_SIZE_1024 +1];
471 snprintf(op_msg, OS_SIZE_1024, "Check the following files for more "
472 "information:\n%s%s%s",
473 (ftell(_wx) == 0)?"":
474 " rootcheck-rw-rw-rw-.txt (list of world writable files)\n",
475 (ftell(_ww) == 0)?"":
476 " rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)\n",
477 (ftell(_suid) == 0)?"":
478 " rootcheck-suid-files.txt (list of suid files)");
480 notify_rk(ALERT_SYSTEM_ERROR, op_msg);
486 unlink("rootcheck-rw-rw-rw-.txt");
493 unlink("rootcheck-rwxrwxrwx.txt");
499 if(ftell(_suid) == 0)
500 unlink("rootcheck-suid-files.txt");