Rootkit Hunter

Fixed in CVS.

Not too difficult, but it's not really possible to do it all with one
regex. So, it has been split up into simpler chunks (connection types).
did some simple testing using the backdoorports file and whatever local
processes I had running. Seems to work okay.

I suspect you will have to do this in 2 steps (something like looking for
'PROTO.+->.+:PORT' and then 'TCP.+:PORT\s*(' ). However, as far as I
remember that in itself will cause problems with the current code. The
problem is resolvable, but will require a bit of jiggling with the code. At
the moment it uses the lsof output directly into a loop and then checks the
port numbers. The lsof output will need to be expanded (more of it
supplied), and the loop then test for the 2 conditions, and ignore the
rest. Something like that anyway.... :-)


John.

Thanks for the "-P". I didn't notice we had that option. Looking for an awk
regex that'll include both *:$PORT and IP:$PORT->IP:PORT but not
IP:PORT:IP:$PORT...

For 1), lsof has option -P (This option inhibits the conversion of port
numbers to port names for network files).

Say, using gawk:
lsof -wnlP -i TCP:${PORT} | gawk '/.*'${PORT}'->.*/ { print $2 }'

We'll have to mark this as a known false positive in the documentation: 0)
I can't use procotol@hostname:port notation in lsof since that would miss
stuff on "ANY" and 1) lsof resolves port names so there's no way to cut
with say "awk -F'->' '{print $1}'" and work on that.

Hello Filippo,

Thanks for your FP comment. You're right LSOF with ${PROTO}:${PORT} is a
too greedy match. We might need something to glue it to the host, like
${PROTO}@${HOSTNAME}:${PORT}, make it return the address port pairs for
checking or crosscheck with netstat.

unSpawn