-/* @(#) $Id: check_rc_sys.c,v 1.42 2009/09/29 19:52:25 dcid Exp $ */
+/* @(#) $Id: ./src/rootcheck/check_rc_sys.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
-#include "shared.h"
+#include "shared.h"
#include "rootcheck.h"
int _sys_errors;
int read_sys_file(char *file_name, int do_read)
{
struct stat statbuf;
-
+
_sys_total++;
#endif
return(-1);
}
-
+
/* If directory, read the directory */
else if(S_ISDIR(statbuf.st_mode))
{
}
}
}
-
-
+
+
/* If has OTHER write and exec permission, alert */
#ifndef WIN32
- if(((statbuf.st_mode & S_IWOTH) == S_IWOTH) &&
+ if(((statbuf.st_mode & S_IWOTH) == S_IWOTH) &&
(S_ISREG(statbuf.st_mode)))
{
if((statbuf.st_mode & S_IXUSR) == S_IXUSR)
{
if(_wx)
fprintf(_wx, "%s\n",file_name);
-
- _sys_errors++;
+
+ _sys_errors++;
}
else
{
unsigned int entry_count = 0;
int did_changed = 0;
DIR *dp;
-
+
struct dirent *entry;
struct stat statbuf;
-
+
#ifndef WIN32
char *(dirs_to_doread[]) = { "/bin", "/sbin", "/usr/bin",
- "/usr/sbin", "/dev", "/etc",
+ "/usr/sbin", "/dev", "/etc",
"/boot", NULL };
#endif
-
+
if((dir_name == NULL)||(strlen(dir_name) > PATH_MAX))
{
merror("%s: Invalid directory given.",ARGV0);
i = 0;
}
-
-
+
+
/* Getting the number of nodes. The total number on opendir
* must be the same
*/
{
return(-1);
}
-
-
+
+
/* Currently device id */
if(did != statbuf.st_dev)
{
did_changed = 1;
did = statbuf.st_dev;
}
-
-
+
+
if(!S_ISDIR(statbuf.st_mode))
{
return(-1);
}
-
+
#ifndef WIN32
/* Check if the do_read is valid for this directory */
#else
do_read = 0;
#endif
-
-
+
+
/* Opening the directory given */
dp = opendir(dir_name);
if(!dp)
{
if((strcmp(dir_name, "") == 0)&&
- (dp = opendir("/")))
+ (dp = opendir("/")))
{
/* ok */
}
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
{
entry_count++;
continue;
#ifndef Darwin
if(S_ISDIR(statbuf_local.st_mode))
#else
- if(S_ISDIR(statbuf_local.st_mode) ||
+ if(S_ISDIR(statbuf_local.st_mode) ||
S_ISREG(statbuf_local.st_mode) ||
S_ISLNK(statbuf_local.st_mode))
#endif
}
}
-
+
/* Checking every file against the rootkit database */
for(i = 0; i<= rk_sys_count; i++)
{
/* Entry count for directory different than the actual
* link count from stats.
*/
- if((entry_count != statbuf.st_nlink) &&
+ if((entry_count != statbuf.st_nlink) &&
((did_changed == 0) || ((entry_count + 1) != statbuf.st_nlink)))
{
#ifndef WIN32
struct stat statbuf2;
char op_msg[OS_SIZE_1024 +1];
-
- if((lstat(dir_name, &statbuf2) == 0) &&
+
+ if((lstat(dir_name, &statbuf2) == 0) &&
(statbuf2.st_nlink != entry_count))
{
snprintf(op_msg, OS_SIZE_1024, "Files hidden inside directory "
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
_sys_errors++;
}
- #elif Darwin
+ #elif Darwin || FreeBSD
if(strncmp(dir_name, "/dev", strlen("/dev")) != 0)
{
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
_sys_errors++;
- }
+ }
#else
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
#endif
}
-
+
closedir(dp);
-
+
return(0);
}
_sys_errors = 0;
_sys_total = 0;
did = 0; /* device id */
-
+
snprintf(file_path, OS_SIZE_1024, "%s", basedir);
}
-
+
/* Scan the whole file system -- may be slow */
- if(rootcheck.scanall)
+ if(rootcheck.scanall)
{
#ifndef WIN32
snprintf(file_path, 3, "%s", "/");
read_sys_dir(file_path, rootcheck.readall);
}
-
+
/* Scan only specific directories */
else
{
int _i = 0;
-
+
#ifndef WIN32
char *(dirs_to_scan[]) = {"/bin", "/sbin", "/usr/bin",
"/usr/sbin", "/dev", "/lib",
"/etc", "/root", "/var/log",
"/var/mail", "/var/lib", "/var/www",
"/usr/lib", "/usr/include",
- "/tmp", "/boot", "/usr/local",
+ "/tmp", "/boot", "/usr/local",
"/var/tmp", "/sys", NULL};
#else
char *(dirs_to_scan[]) = {"C:\\WINDOWS", "C:\\Program Files", NULL};
#endif
-
+
for(_i = 0; _i <= 24; _i++)
{
if(dirs_to_scan[_i] == NULL)
break;
-
- #ifndef WIN32
- snprintf(file_path, OS_SIZE_1024, "%s%s",
- basedir,
+
+ #ifndef WIN32
+ snprintf(file_path, OS_SIZE_1024, "%s%s",
+ basedir,
dirs_to_scan[_i]);
read_sys_dir(file_path, rootcheck.readall);
#else
read_sys_dir(dirs_to_scan[_i], rootcheck.readall);
#endif
-
+
}
}
-
+
if(_sys_errors == 0)
{
char op_msg[OS_SIZE_1024 +1];
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Check the following files for more "
"information:\n%s%s%s",
- (ftell(_wx) == 0)?"":
+ (ftell(_wx) == 0)?"":
" rootcheck-rw-rw-rw-.txt (list of world writable files)\n",
(ftell(_ww) == 0)?"":
" rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)\n",
- (ftell(_suid) == 0)?"":
+ (ftell(_suid) == 0)?"":
" rootcheck-suid-files.txt (list of suid files)");
-
- notify_rk(ALERT_SYSTEM_ERROR, op_msg);
+
+ notify_rk(ALERT_SYSTEM_ERR, op_msg);
}
if(_wx)
unlink("rootcheck-rw-rw-rw-.txt");
fclose(_wx);
}
-
+
if(_ww)
{
if(ftell(_ww) == 0)
unlink("rootcheck-rwxrwxrwx.txt");
fclose(_ww);
}
-
+
if(_suid)
{
if(ftell(_suid) == 0)
unlink("rootcheck-suid-files.txt");
- fclose(_suid);
+ fclose(_suid);
}
-
+
return;
}