void test_ports(int proto, int *_errors, int *_total) { int i; for(i = 0; i<= 65535; i++) { (*_total)++; if(conn_port(proto, i)) { /* Checking if we can find it using netstat, if not, * check again to see if the port is still being used. */ if(run_netstat(proto, i)) { continue; #ifdef OSSECHIDS sleep(2); #endif } /* If we are being run by the ossec hids, sleep here (no rush) */ #ifdef OSSECHIDS sleep(2); #endif if(!run_netstat(proto, i) && conn_port(proto, i)) { char op_msg[OS_SIZE_1024 +1]; (*_errors)++; snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. " "Kernel-level rootkit or trojaned " "version of netstat.", i, (proto == IPPROTO_UDP)? "udp" : "tcp"); notify_rk(ALERT_ROOTKIT_FOUND, op_msg); } } if((*_errors) > 20) { char op_msg[OS_SIZE_1024 +1]; snprintf(op_msg, OS_SIZE_1024, "Excessive number of '%s' ports " "hidden. It maybe a false-positive or " "something really bad is going on.", (proto == IPPROTO_UDP)? "udp" : "tcp" ); notify_rk(ALERT_SYSTEM_CRIT, op_msg); return; } } }
/* * NAME: conn->init() * DESCRIPTION: initialize connection handling */ bool conn_init(int maxusers, char **thosts, char **bhosts, unsigned short *tports, unsigned short *bports, int ntports, int nbports) { # ifdef INET6 struct sockaddr_in6 sin6; # endif struct sockaddr_in sin; struct hostent *host; int n; connection *conn; bool ipv6, ipv4; int err; if (!ipa_init(maxusers)) { return FALSE; } #ifdef NETWORK_EXTENSIONS addrtype = PF_INET; #endif nusers = 0; maxfd = 0; FD_ZERO(&infds); FD_ZERO(&outfds); FD_ZERO(&waitfds); FD_SET(in, &infds); npackets = 0; closed = 0; #ifndef NETWORK_EXTENSIONS ntdescs = ntports; if (ntports != 0) { tdescs = ALLOC(portdesc, ntports); memset(tdescs, -1, ntports * sizeof(portdesc)); } nbdescs = nbports; if (nbports != 0) { bdescs = ALLOC(portdesc, nbports); memset(bdescs, -1, nbports * sizeof(portdesc)); udescs = ALLOC(portdesc, nbports); memset(udescs, -1, nbports * sizeof(portdesc)); } #endif # ifdef INET6 memset(&sin6, '\0', sizeof(sin6)); sin6.sin6_family = AF_INET6; # endif memset(&sin, '\0', sizeof(sin)); sin.sin_family = AF_INET; for (n = 0; n < ntdescs; n++) { /* telnet ports */ ipv6 = FALSE; ipv4 = FALSE; if (thosts[n] == (char *) NULL) { # ifdef INET6 sin6.sin6_addr = in6addr_any; ipv6 = TRUE; # endif sin.sin_addr.s_addr = INADDR_ANY; ipv4 = TRUE; } else { # ifdef INET6 if (inet_pton(AF_INET6, thosts[n], &sin6) > 0) { ipv6 = TRUE; } else { # ifdef AI_DEFAULT host = getipnodebyname(thosts[n], AF_INET6, 0, &err); if (host != (struct hostent *) NULL) { memcpy(&sin6.sin6_addr, host->h_addr, host->h_length); ipv6 = TRUE; freehostent(host); } # else host = gethostbyname2(thosts[n], AF_INET6); if (host != (struct hostent *) NULL) { memcpy(&sin6.sin6_addr, host->h_addr, host->h_length); ipv6 = TRUE; } # endif } # endif if ((sin.sin_addr.s_addr=inet_addr(thosts[n])) != INADDR_NONE) { ipv4 = TRUE; } else { host = gethostbyname(thosts[n]); if (host != (struct hostent *) NULL) { memcpy(&sin.sin_addr, host->h_addr, host->h_length); ipv4 = TRUE; } } } if (!ipv6 && !ipv4) { message("unknown host %s\012", thosts[n]); /* LF */ return FALSE; } # ifdef INET6 if (ipv6 && !conn_port6(&tdescs[n].in6, SOCK_STREAM, &sin6, tports[n])) { return FALSE; } # endif if (ipv4 && !conn_port(&tdescs[n].in4, SOCK_STREAM, &sin, tports[n])) { return FALSE; } } for (n = 0; n < nbdescs; n++) { /* binary ports */ ipv6 = FALSE; ipv4 = FALSE; if (bhosts[n] == (char *) NULL) { # ifdef INET6 sin6.sin6_addr = in6addr_any; ipv6 = TRUE; # endif sin.sin_addr.s_addr = INADDR_ANY; ipv4 = TRUE; } else { # ifdef INET6 if (inet_pton(AF_INET6, bhosts[n], &sin6) > 0) { ipv6 = TRUE; } else { # ifdef AI_DEFAULT host = getipnodebyname(bhosts[n], AF_INET6, 0, &err); if (host != (struct hostent *) NULL) { memcpy(&sin6.sin6_addr, host->h_addr, host->h_length); ipv6 = TRUE; freehostent(host); } # else host = gethostbyname2(bhosts[n], AF_INET6); if (host != (struct hostent *) NULL) { memcpy(&sin6.sin6_addr, host->h_addr, host->h_length); ipv6 = TRUE; } # endif } # endif if ((sin.sin_addr.s_addr=inet_addr(bhosts[n])) != INADDR_NONE) { ipv4 = TRUE; } else { host = gethostbyname(bhosts[n]); if (host != (struct hostent *) NULL) { memcpy(&sin.sin_addr, host->h_addr, host->h_length); ipv4 = TRUE; } } } if (!ipv6 && !ipv4) { message("unknown host %s\012", bhosts[n]); /* LF */ return FALSE; } # ifdef INET6 if (ipv6) { if (!conn_port6(&bdescs[n].in6, SOCK_STREAM, &sin6, bports[n])) { return FALSE; } if (!conn_port6(&udescs[n].in6, SOCK_DGRAM, &sin6, bports[n])) { return FALSE; } } # endif if (ipv4) { if (!conn_port(&bdescs[n].in4, SOCK_STREAM, &sin, bports[n])) { return FALSE; } if (!conn_port(&udescs[n].in4, SOCK_DGRAM, &sin, bports[n])) { return FALSE; } } } flist = (connection *) NULL; #ifndef NETWORK_EXTENSIONS connections = ALLOC(connection, nusers = maxusers); #else connections = ALLOC(connection, nusers = maxusers+1); #endif for (n = nusers, conn = connections; n > 0; --n, conn++) { conn->fd = -1; conn->chain.next = (hte *) flist; flist = conn; } #ifndef NETWORK_EXTENSIONS udphtab = ALLOC(connection*, udphtabsz = maxusers); memset(udphtab, '\0', udphtabsz * sizeof(connection*)); chtab = ht_new(maxusers, UDPHASHSZ, TRUE); #endif return TRUE; }