void test_ports(int proto, int *_errors, int *_total)
{
int i;
for(i = 0; i<= 65535; i++)
{
(*_total)++;
if(conn_port(proto, i))
{
/* Checking if we can find it using netstat, if not,
* check again to see if the port is still being used.
*/
if(run_netstat(proto, i))
{
continue;
#ifdef OSSECHIDS
sleep(2);
#endif
}
/* If we are being run by the ossec hids, sleep here (no rush) */
#ifdef OSSECHIDS
sleep(2);
#endif
if(!run_netstat(proto, i) && conn_port(proto, i))
{
char op_msg[OS_SIZE_1024 +1];
(*_errors)++;
snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
"Kernel-level rootkit or trojaned "
"version of netstat.", i,
(proto == IPPROTO_UDP)? "udp" : "tcp");
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
}
}
if((*_errors) > 20)
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Excessive number of '%s' ports "
"hidden. It maybe a false-positive or "
"something really bad is going on.",
(proto == IPPROTO_UDP)? "udp" : "tcp" );
notify_rk(ALERT_SYSTEM_CRIT, op_msg);
return;
}
}
}
/*
* NAME: conn->init()
* DESCRIPTION: initialize connection handling
*/
bool conn_init(int maxusers, char **thosts, char **bhosts,
unsigned short *tports, unsigned short *bports, int ntports,
int nbports)
{
# ifdef INET6
struct sockaddr_in6 sin6;
# endif
struct sockaddr_in sin;
struct hostent *host;
int n;
connection *conn;
bool ipv6, ipv4;
int err;
if (!ipa_init(maxusers)) {
return FALSE;
}
#ifdef NETWORK_EXTENSIONS
addrtype = PF_INET;
#endif
nusers = 0;
maxfd = 0;
FD_ZERO(&infds);
FD_ZERO(&outfds);
FD_ZERO(&waitfds);
FD_SET(in, &infds);
npackets = 0;
closed = 0;
#ifndef NETWORK_EXTENSIONS
ntdescs = ntports;
if (ntports != 0) {
tdescs = ALLOC(portdesc, ntports);
memset(tdescs, -1, ntports * sizeof(portdesc));
}
nbdescs = nbports;
if (nbports != 0) {
bdescs = ALLOC(portdesc, nbports);
memset(bdescs, -1, nbports * sizeof(portdesc));
udescs = ALLOC(portdesc, nbports);
memset(udescs, -1, nbports * sizeof(portdesc));
}
#endif
# ifdef INET6
memset(&sin6, '\0', sizeof(sin6));
sin6.sin6_family = AF_INET6;
# endif
memset(&sin, '\0', sizeof(sin));
sin.sin_family = AF_INET;
for (n = 0; n < ntdescs; n++) {
/* telnet ports */
ipv6 = FALSE;
ipv4 = FALSE;
if (thosts[n] == (char *) NULL) {
# ifdef INET6
sin6.sin6_addr = in6addr_any;
ipv6 = TRUE;
# endif
sin.sin_addr.s_addr = INADDR_ANY;
ipv4 = TRUE;
} else {
# ifdef INET6
if (inet_pton(AF_INET6, thosts[n], &sin6) > 0) {
ipv6 = TRUE;
} else {
# ifdef AI_DEFAULT
host = getipnodebyname(thosts[n], AF_INET6, 0, &err);
if (host != (struct hostent *) NULL) {
memcpy(&sin6.sin6_addr, host->h_addr, host->h_length);
ipv6 = TRUE;
freehostent(host);
}
# else
host = gethostbyname2(thosts[n], AF_INET6);
if (host != (struct hostent *) NULL) {
memcpy(&sin6.sin6_addr, host->h_addr, host->h_length);
ipv6 = TRUE;
}
# endif
}
# endif
if ((sin.sin_addr.s_addr=inet_addr(thosts[n])) != INADDR_NONE) {
ipv4 = TRUE;
} else {
host = gethostbyname(thosts[n]);
if (host != (struct hostent *) NULL) {
memcpy(&sin.sin_addr, host->h_addr, host->h_length);
ipv4 = TRUE;
}
}
}
if (!ipv6 && !ipv4) {
message("unknown host %s\012", thosts[n]); /* LF */
return FALSE;
}
# ifdef INET6
if (ipv6 && !conn_port6(&tdescs[n].in6, SOCK_STREAM, &sin6, tports[n]))
{
return FALSE;
}
# endif
if (ipv4 && !conn_port(&tdescs[n].in4, SOCK_STREAM, &sin, tports[n])) {
return FALSE;
}
}
for (n = 0; n < nbdescs; n++) {
/* binary ports */
ipv6 = FALSE;
ipv4 = FALSE;
if (bhosts[n] == (char *) NULL) {
# ifdef INET6
sin6.sin6_addr = in6addr_any;
ipv6 = TRUE;
# endif
sin.sin_addr.s_addr = INADDR_ANY;
ipv4 = TRUE;
} else {
# ifdef INET6
if (inet_pton(AF_INET6, bhosts[n], &sin6) > 0) {
ipv6 = TRUE;
} else {
# ifdef AI_DEFAULT
host = getipnodebyname(bhosts[n], AF_INET6, 0, &err);
if (host != (struct hostent *) NULL) {
memcpy(&sin6.sin6_addr, host->h_addr, host->h_length);
ipv6 = TRUE;
freehostent(host);
}
# else
host = gethostbyname2(bhosts[n], AF_INET6);
if (host != (struct hostent *) NULL) {
memcpy(&sin6.sin6_addr, host->h_addr, host->h_length);
ipv6 = TRUE;
}
# endif
}
# endif
if ((sin.sin_addr.s_addr=inet_addr(bhosts[n])) != INADDR_NONE) {
ipv4 = TRUE;
} else {
host = gethostbyname(bhosts[n]);
if (host != (struct hostent *) NULL) {
memcpy(&sin.sin_addr, host->h_addr, host->h_length);
ipv4 = TRUE;
}
}
}
if (!ipv6 && !ipv4) {
message("unknown host %s\012", bhosts[n]); /* LF */
return FALSE;
}
# ifdef INET6
if (ipv6) {
if (!conn_port6(&bdescs[n].in6, SOCK_STREAM, &sin6, bports[n])) {
return FALSE;
}
if (!conn_port6(&udescs[n].in6, SOCK_DGRAM, &sin6, bports[n])) {
return FALSE;
}
}
# endif
if (ipv4) {
if (!conn_port(&bdescs[n].in4, SOCK_STREAM, &sin, bports[n])) {
return FALSE;
}
if (!conn_port(&udescs[n].in4, SOCK_DGRAM, &sin, bports[n])) {
return FALSE;
}
}
}
flist = (connection *) NULL;
#ifndef NETWORK_EXTENSIONS
connections = ALLOC(connection, nusers = maxusers);
#else
connections = ALLOC(connection, nusers = maxusers+1);
#endif
for (n = nusers, conn = connections; n > 0; --n, conn++) {
conn->fd = -1;
conn->chain.next = (hte *) flist;
flist = conn;
}
#ifndef NETWORK_EXTENSIONS
udphtab = ALLOC(connection*, udphtabsz = maxusers);
memset(udphtab, '\0', udphtabsz * sizeof(connection*));
chtab = ht_new(maxusers, UDPHASHSZ, TRUE);
#endif
return TRUE;
}
