[Forensics-changes] [unhide] 01/02: Imported Upstream version 20130526
Joao Eriberto Mota Filho
eriberto at moszumanska.debian.org
Thu Nov 5 19:14:50 UTC 2015
This is an automated email from the git hooks/post-receive script.
eriberto pushed a commit to branch debian
in repository unhide.
commit 85a55928c4f692e2305107f5103ac2e705c023d4
Author: Eriberto Mota <eriberto at cepheus.cdciber.eb.mil.br>
Date: Thu Nov 5 17:14:32 2015 -0200
Imported Upstream version 20130526
---
LEEME.txt | 20 +++++++++++++++++
LISEZ-MOI.TXT | 21 ++++++++++++++++++
NEWS | 23 ++++++++++++++++++++
README.txt | 21 ++++++++++++++++++
changelog | 40 ++++++++++++++++++++++++++++++++++
make_tarball.sh | 28 +++++++++++++++++++++++-
man/es/unhide-tcp.8 | 8 +++++--
man/fr/unhide-tcp.8 | 5 ++++-
man/unhide-tcp.8 | 5 ++++-
sanity-tcp.sh | 57 ++++++++++++++++++++++++++++++------------------
sanity.sh | 2 +-
tar_list.txt | 62 ++++++++++++++++++++++++++---------------------------
unhide-linux.c | 4 ++--
unhide-output.c | 6 +++++-
unhide-output.h | 1 +
unhide-posix.c | 52 ++++++++++++++++++++++++++++++--------------
unhide-tcp.c | 60 +++++++++++++++++++++++++++++++++++----------------
unhide_rb.c | 4 ++--
18 files changed, 322 insertions(+), 97 deletions(-)
diff --git a/LEEME.txt b/LEEME.txt
index 70c9d7f..1aae667 100644
--- a/LEEME.txt
+++ b/LEEME.txt
@@ -98,6 +98,24 @@ man/es/unhide-tcp.8 --Página man de unhide-tcp en Español
// Compilación
+Para compilar Unhide es necesario:
+ glibc-devel
+ glibc-static-devel
+
+Y las siguientes dependencias:
+- unhide-tcp para linux :
+ iproute2
+ net-tools (para netstat)
+ lsof
+ psmisc (para fuser)
+- unhide-tcp para freeBSD :
+ sockstat
+ lsof
+ netstat
+
+unhide-linux, unhide-posix, unhide_rb :
+ procps
+
Si estás usando un kernel de Linux > = 2.6
gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
@@ -148,3 +166,5 @@ P. Gouin (pg.bug.cvs.pgn at free.fr) Por su increible trabajo 'fixeando' bugs y mej
François Boisson por su idea de un doble control en el test 'brute'
Leandro Lucarella (leandro.lucarella at sociomantic.com) por el modo de escaneo rápido y la re-escritura de unhide-tcp
+
+Nikos Ntarmos (ntarmos at ceid.upatras.gr) Por su inestimable labor ayudando a portar Unhide a FreeBSD y por hacer el empaquetado para FreeBSD.
diff --git a/LISEZ-MOI.TXT b/LISEZ-MOI.TXT
index 3de137a..4412ebc 100644
--- a/LISEZ-MOI.TXT
+++ b/LISEZ-MOI.TXT
@@ -112,6 +112,25 @@ man/fr/unhide-tcp.8 -- man page en français de unhide-tcp
// Compilation
// -----------
+Prérequis de build
+ glibc-devel
+ glibc-static-devel
+
+Prérequis d'utilisation
+- unhide-tcp under linux :
+ iproute2
+ net-tools (for netstat)
+ lsof
+ psmisc (for fuser)
+- unhide-tcp under freeBSD :
+ sockstat
+ lsof
+ netstat
+unhide-linux, unhide-posix, unhide_rb :
+ procps
+
+
+
Si vous utilisez un noyau Linux >= 2.6
gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
@@ -161,3 +180,5 @@ P. Gouin (patrick-g at users.sourceforge.net) En raison de son travail incroyable c
François Boisson pour l'idée de la double vérification dans le test "brute".
Leandro Lucarella (leandro.lucarella at sociomantic.com) pour la méthode rapide de balayage et son travail de factorisation de unhide-tcp
+
+Nikos Ntarmos (ntarmos at ceid.upatras.gr) pour son aide inestimable pour le portage de unhide-tcp sur FreeBSD.
diff --git a/NEWS b/NEWS
index 4c14ba0..29aae87 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,26 @@
+Changes since 20121229 :
+**********************
+
+BUG FIXES
+ - include <stdarg.h> in unhide-output.h, some old gcc/glibc need it.
+
+SUPPORT FOR PORTING
+ - On non Linux OS, ss is not used by default by unhide-tcp.
+ This way, FreeBSD guys should be able to package without patching unhide source :)
+ - On FreeBSD, use sockstat instead of fuser.
+
+MISCELLANOUS
+
+ - The unhide files in the tarball are again contained in a directory (unhide-YYYYMMDD)
+ - The name of the tarball uses again a '-' not a '_'.
+ - Help packagers: in unhide-posix.c, unhide-output.c, unhide-tcp.c, OS specific
+ command are put between #ifdef instead of beeing commented.
+ - Correct banner of unhide-posix.
+ - Update manpages.
+ - Add build/use require list in readme files
+
+
+
Changes since 20110113 :
**********************
diff --git a/README.txt b/README.txt
index 257559d..ec7f5b7 100644
--- a/README.txt
+++ b/README.txt
@@ -92,6 +92,25 @@ man/fr/unhide-tcp.8 -- French man page of unhide-tcp
// Compiling
// ---------
+Build requires
+ glibc-devel
+ glibc-static-devel
+
+Require
+- unhide-tcp under linux :
+ iproute2
+ net-tools (for netstat)
+ lsof
+ psmisc (for fuser)
+- unhide-tcp under freeBSD :
+ sockstat
+ lsof
+ netstat
+
+unhide-linux, unhide-posix, unhide_rb :
+ procps
+
+
If you ARE using a Linux kernel >= 2.6
gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
@@ -141,3 +160,5 @@ P. Gouin (patrick-g at users.sourceforge.net) Because of his incredible work fixing
François Boisson for his idea of a double check in brute test
Leandro Lucarella (leandro.lucarella at sociomantic.com) for the fast scan method and his factorization work for unhide-tcp
+
+Nikos Ntarmos (ntarmos at ceid.upatras.gr) for its invaluable help in the FreeBSD port of unhide-tcp and for packaging unhide on FreeBSD.
diff --git a/changelog b/changelog
index e1ba507..eca8707 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,43 @@
+2013-05-26
+ unhide-posix.c
+ - Transform 'ret' in global variable to avoid warnings
+ (note: ret variable was added to avoid warnings with some over pedantic
+ version of glibc and is otherwise useless).
+
+2013-05-24
+ unhide-tcp.8 (spanish version), LEEME.txt
+ - update according to english version.
+
+2013-03-03
+ unhide-posix.c
+ - Bugfix : Correct app name in banner of unhide-posix.
+
+ unhide-tcp.c
+ - Continue to simplify packager job:
+ * on FreeBSD use sockstat instead of fuser, which doesn't show info on internet socket
+ on this system.
+
+ README.txt, LISEZ-MOI.txt
+ - Add list of build-requires and use-requires
+
+ unhide-tcp.8 (french and english version)
+ - Add notes upon FreeBSD.
+
+2013-02-03
+ unhide-output.h
+ - Bugfix : include <stdarg.h>, some old glibc need it
+
+ unhide-posix.c, unhide-output.c, unhide-tcp.c
+ - Simplify packager job:
+ * put OS specific command between #ifdef (they were previously commented),
+ * don't use ss by default in unhide-tcp if OS is not linux,
+ * on FreeBSD use sockstat instead of fuser, which doesn't show info on internet socket
+ on this system.
+
+ make_tarball.sh
+ - Change '_' to '-' in the name of the tarball
+ - Make sure that unhide files are in a unhide-YYYYMMDD directory.
+
2012-12-29
Promote unhide-tcp-double_check.c as official version of unhide-tcp. Old version
is still available as unhide-tcp-simple-check.c
diff --git a/make_tarball.sh b/make_tarball.sh
index e251d08..8ecee54 100755
--- a/make_tarball.sh
+++ b/make_tarball.sh
@@ -1 +1,27 @@
-tar -T tar_list.txt -czvf unhide_20121229.tgz
+#! /bin/sh
+TAR_DATE=`date +%Y%m%d`
+echo $TAR_DATE
+TAR_FILE="unhide-$TAR_DATE"
+echo $TAR_FILE
+
+if [ -e "../$TAR_FILE" ]; then
+ echo "../$TAR_FILE already exists, do you want to delete it and continue [yN] ?"
+ read DEL_DIR
+ if [ $DEL_DIR == "Y" -o $DEL_DIR == "y" ]; then
+ if [ -d "../$TAR_FILE" ]; then
+ echo "\rm -rf ../$TAR_FILE"
+ else
+ echo "\rm -f ../$TAR_FILE"
+ fi
+ else
+ exit 1
+ fi
+else
+ echo "../$TAR_FILE n'existe pas"
+fi
+mkdir -p ../$TAR_FILE/man/es ../$TAR_FILE/man/fr
+for FILE in `cat tar_list.txt`; do
+ cp $FILE ../$TAR_FILE/$FILE
+done
+tar -czvf $TAR_FILE.tgz ../$TAR_FILE
+mv $TAR_FILE.tgz ../$TAR_FILE
diff --git a/man/es/unhide-tcp.8 b/man/es/unhide-tcp.8
index a482f18..9a993c3 100644
--- a/man/es/unhide-tcp.8
+++ b/man/es/unhide-tcp.8
@@ -10,8 +10,11 @@ unhide\-tcp \(em Herramienta forense para localizar puertos TCP/UDP ocultos
TCP/UDP que están a la escucha pero no aparecen listados en /sbin/ss (o alternativamente
/bin/netstat) haciendo fuerza bruta en todo el espacio de puertos TCP/UDP disponibles
.br
-Nota : Si el comando iproute2 no está disponible en el sistema, la opción \-n o \-s DEBE formar
-parte de los argumentos del programa
+Nota1 : Tanto en FreeBSD como en OpenBSD el comando netstat será siempre la opción elegida
+puesto que iproute2 no está disponible. Además en FreeBSD se usará sockstat en lugar de fuser
+
+Nota2: Si el comando iproute2 no se encuentra disponible en el sistema la opción \-n o \-s DEBE estar
+entre los flags con los que es llamado unhide\-tcp
.PP
.SH "OPCIONES"
.TP
@@ -23,6 +26,7 @@ No muestra mensajes de error. Este es el comportamiento por defecto
.TP
\fB\-f \-\-fuser\fR
Muestra la salida del comando fuser (si se encuentra en el sistema) del puerto oculto
+Para FreeBSD, en lugar de comando fuser, muestra la salida del comando sockstat del puerto oculto
.TP
\fB\-l \-\-lsof\fR
Muestra la salida del comando lsof (si se encuentra en el sistema) del puerto oculto
diff --git a/man/fr/unhide-tcp.8 b/man/fr/unhide-tcp.8
index dbe42d6..ff05a05 100644
--- a/man/fr/unhide-tcp.8
+++ b/man/fr/unhide-tcp.8
@@ -11,7 +11,9 @@ TCP/UDP qui sont à l'écoute mais qui ne sont pas listés par /sbin/ss (ou
alternativement par /bin/netstat) en utilisant la force brute : ouverture de
tous les ports TCP/UDP existants.
.br
-Note : si iproute2 n'est pas installé sur le système, une des option -n ou - s
+Note1 : sur FreeBSD et OPENBSD, netstat est systématiquement utilisé iproute2 n'existant pas
+sur ces systèmes. De plus sur FreeBSD, sockstat est utilisé à la place de fuser.
+Note2 : si iproute2 n'est pas installé sur le système, une des option -n ou - s
DOIT être utilisée sur la ligne de commande.
.PP
.SH "OPTIONS"
@@ -24,6 +26,7 @@ N'affiche pas les messages d'avertissement, c'est le comportement par défaut.
.TP
\fB\-f --fuser\fR
Affiche la sortie de fuser (si elle est disponible) pour les ports cachés.
+Sur FreeBSD, affiche, à la place, la sortie de sockstat pour les ports cachés.
.TP
\fB\-l --lsof\fR
Affiche la sortie de lsof (si elle est disponible) pour les ports cachés.
diff --git a/man/unhide-tcp.8 b/man/unhide-tcp.8
index 9ccdd35..899334f 100644
--- a/man/unhide-tcp.8
+++ b/man/unhide-tcp.8
@@ -11,7 +11,9 @@ ports that are listening but are not listed by /sbin/ss (or
alternatively by /bin/netstat) through brute forcing of all
TCP/UDP ports available.
.br
-Note : If iproute2 is not available on the system, option -n or -s SHOULD be
+Note1 : On FreeBSD ans OpenBSD, netstat is allways used as iproute2 doesn't exist
+on these OS. In addition, on FreeBSD, sockstat is used instead of fuser.
+Note2 : If iproute2 is not available on the system, option -n or -s SHOULD be
given on the command line.
.PP
.SH "OPTIONS"
@@ -24,6 +26,7 @@ Don't display warning messages, that's the default behavior.
.TP
\fB\-f --fuser\fR
Display fuser output (if available) for the hidden port
+On FreeBSD, instead of fuser command, displays the output of the sockstat command for the hidden port.
.TP
\fB\-l --lsof\fR
Display lsof output (if available) for the hidden port
diff --git a/sanity-tcp.sh b/sanity-tcp.sh
index 3ac43d9..c9f30d0 100755
--- a/sanity-tcp.sh
+++ b/sanity-tcp.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#!/bin/sh
# sanity.sh -- a growing testsuite for unhide-tcp.
#
@@ -18,50 +18,65 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Original Author: Patrick Gouin
+# BSD portability: Nikos Ntarmos
+
+if [ "x`/usr/bin/env uname`" == "xLinux" ]; then
+ ONFREEBSD=0
+ CHECKER=ss
+else
+ ONFREEBSD=1
+ CHECKER=netstat
+fi
# remove pre-existing local ss
-rm -f ./ps
+rm -f ./$CHECKER
#test 0
-# Don't call ss : let all ports appear hidden
+# Don't call CHECKER : let all ports appear hidden
cat <<EOF
============ Test #0 ============
- Don't call ss : let all ports appear hidden.
+ Don't call $CHECKER : let all ports appear hidden.
This should find all ports as hidden..
EOF
-cat <<EOF >./ss
-#! /bin/bash
+cat <<EOF >./$CHECKER
+#!/bin/sh
false
EOF
-chmod 754 ./ss
-#PATH=.:$PATH ./unhide-tcp -fl
+chmod 754 ./$CHECKER
+PATH=.:$PATH ./unhide-tcp -fl
# PATH=.:$PATH ./unhide-tcp
-PATH=.:$PATH ./unhide-tcp-double_check
+#PATH=.:$PATH ./unhide-tcp-double_check
-# remove pre-existing local ss
-rm -f ./ss
+# remove pre-existing local $CHECKER
+rm -f ./$CHECKER
#test 1
-# Call ss : let cups port appears hidden
+# Call $CHECKER : let cups port appears hidden
cat <<EOF
============ Test #1 ============
- Call ss : let cups port appears hidden.
+ Call $CHECKER : let cups port appears hidden.
This should find port 631 as hidden..
EOF
-cat <<EOF >./ss
-#! /bin/bash
+cat <<EOF >./$CHECKER
+#!/bin/sh
+
+set -e
# echo "Le 1er paramètre est : \$1" >&2
# echo "Le 2ème paramètre est : \$2" >&2
# echo "Le 3ème paramètre est : \$3" >&2
# echo "Le 4ème paramètre est : \$4" >&2
-if [ "\$4" != ":631" ]
+if [ $ONFREEBSD -eq 1 ]
+then
+ /usr/bin/netstat \$@ | grep -v 631
+ exit
+elif [ "\$4" != ":631" ]
then
# appelle le véritable ss
/sbin/ss \$@
@@ -70,9 +85,9 @@ else
fi
EOF
-chmod 754 ./ss
-# PATH=.:$PATH ./unhide-tcp -fl
-PATH=.:$PATH ./unhide-tcp-double_check -fl
+chmod 754 ./$CHECKER
+PATH=.:$PATH ./unhide-tcp -fl
+# PATH=.:$PATH ./unhide-tcp-double_check -fl
-# remove pre-existing local ss
-#rm -f ./ss
+# remove pre-existing local CHECKER
+#rm -f ./$CHECKER
diff --git a/sanity.sh b/sanity.sh
index e61c18c..50a5a5a 100755
--- a/sanity.sh
+++ b/sanity.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /bin/sh
# sanity.sh -- a growing testsuite for unhide.
#
diff --git a/tar_list.txt b/tar_list.txt
index 1c5bcb2..8661b50 100644
--- a/tar_list.txt
+++ b/tar_list.txt
@@ -1,32 +1,32 @@
-./changelog
-./COPYING
-./LEEME.txt
-./LISEZ-MOI.TXT
-./make_tarball.sh
-./man/es/unhide.8
-./man/es/unhide-tcp.8
-./man/fr/unhide.8
-./man/fr/unhide-tcp.8
-./man/unhide.8
-./man/unhide-tcp.8
-./NEWS
-./README.txt
-./sanity.sh
-./sanity-tcp.sh
-./tar_list.txt
-./TODO
-./unhide-linux-bruteforce.c
-./unhide-linux.c
-./unhide-linux-compound.c
-./unhide-linux.h
-./unhide-linux-procfs.c
-./unhide-linux-syscall.c
-./unhide-output.c
-./unhide-output.h
-./unhide-posix.c
-./unhide_rb.c
-./unhide-tcp.c
-./unhide-tcp-simple-check.c
-./unhide-tcp-fast.c
-./unhide-tcp.h
+changelog
+COPYING
+LEEME.txt
+LISEZ-MOI.TXT
+make_tarball.sh
+man/es/unhide.8
+man/es/unhide-tcp.8
+man/fr/unhide.8
+man/fr/unhide-tcp.8
+man/unhide.8
+man/unhide-tcp.8
+NEWS
+README.txt
+sanity.sh
+sanity-tcp.sh
+tar_list.txt
+TODO
+unhide-linux-bruteforce.c
+unhide-linux.c
+unhide-linux-compound.c
+unhide-linux.h
+unhide-linux-procfs.c
+unhide-linux-syscall.c
+unhide-output.c
+unhide-output.h
+unhide-posix.c
+unhide_rb.c
+unhide-tcp.c
+unhide-tcp-simple-check.c
+unhide-tcp-fast.c
+unhide-tcp.h
diff --git a/unhide-linux.c b/unhide-linux.c
index e26db0b..1aca7dd 100644
--- a/unhide-linux.c
+++ b/unhide-linux.c
@@ -49,8 +49,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
// header
const char header[] =
- "Unhide 20121229\n"
- "Copyright © 2012 Yago Jesus & Patrick Gouin\n"
+ "Unhide 20130526\n"
+ "Copyright © 2013 Yago Jesus & Patrick Gouin\n"
"License GPLv3+ : GNU GPL version 3 or later\n"
"http://www.unhide-forensics.info\n\n"
"NOTE : This version of unhide is for systems using Linux >= 2.6 \n\n";
diff --git a/unhide-output.c b/unhide-output.c
index 6920c80..284a5e6 100644
--- a/unhide-output.c
+++ b/unhide-output.c
@@ -21,7 +21,11 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
#include <stdlib.h>
#include <stdarg.h>
#include <errno.h>
-#include <linux/limits.h>
+#ifdef __linux__
+ #include <linux/limits.h>
+#else
+ #include <limits.h>
+#endif
#include <string.h>
#include <time.h>
diff --git a/unhide-output.h b/unhide-output.h
index 15ed998..b992c01 100644
--- a/unhide-output.h
+++ b/unhide-output.h
@@ -17,6 +17,7 @@ You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include <stdarg.h>
/*
* Globals
diff --git a/unhide-posix.c b/unhide-posix.c
index 34aadbc..471efdd 100644
--- a/unhide-posix.c
+++ b/unhide-posix.c
@@ -30,26 +30,46 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
#include <stdlib.h>
-// Linux
-#define COMMAND "ps -eLf | awk '{ print $2 }' | grep -v PID"
-
-// CentOS / RHEL linux (thanks unspawn at rootshell.be and Martin.Bowers at freescale.com )
-// #define COMMAND "ps -emf --no-headers| awk '{ print $2 }'"
-
+#ifdef __linux__
+ // Linux
+ #define COMMAND "ps -eLf | awk '{ print $2 }' | grep -v PID"
// Old Linux (without threads)
// #define COMMAND "ps -ax | awk '{ print $1 }' | grep -v PID"
+// CentOS / RHEL linux (thanks unspawn at rootshell.be and Martin.Bowers at freescale.com )
+// #define COMMAND "ps -emf --no-headers| awk '{ print $2 }'"
+#else
+ #ifdef __OpenBSD__
+ //OpenBSD
+ #define COMMAND "ps -axk | awk '{ print $1 }' | grep -v PID"
+ #else
+ #if defined(sun) || defined(__sun)
+ # if defined(__SVR4) || defined(__svr4__)
+ /* Solaris */
+ #define COMMAND "ps -elf | awk '{ print $4 }' | grep -v PID"
+ # else
+ /* SunOS */
+ # endif
+ #else
+ #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ //FreeBSD
+ #define COMMAND "ps -axH | awk '{ print $1 }' | grep -v PID"
+ #else
+ //default : unknown OS
+ #define COMMAND "ps -ax | awk '{ print $1 }' | grep -v PID"
+ #endif
+ #endif
+ #endif
+#endif
-//OpenBSD
-// #define COMMAND "ps -axk | awk '{ print $1 }' | grep -v PID"
-
-// Solaris
-// #define COMMAND "ps -elf | awk '{ print $4 }' | grep -v PID"
int maxpid= 999999;
// Temporary string for output
char scratch[1000];
+// Shut up some warnings with over pedantic version of glibc
+int ret;
+
void checkps(int tmppid) {
@@ -147,7 +167,7 @@ void checkgetpriority() {
int which = PRIO_PROCESS;
- int ret;
+// int ret;
errno= 0 ;
@@ -170,7 +190,7 @@ void checkgetpgid() {
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
- int ret;
+// int ret;
errno= 0 ;
@@ -194,7 +214,7 @@ void checkgetsid() {
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
- int ret;
+// int ret;
errno= 0 ;
@@ -211,8 +231,8 @@ void checkgetsid() {
int main (int argc, char *argv[]) {
- strncpy(scratch,"Unhide-legacy 20121229\n", 1000) ;
- strncat(scratch, "Copyright © 2012 Yago Jesus & Patrick Gouin\n", 1000);
+ strncpy(scratch,"Unhide-posix 20130526\n", 1000) ;
+ strncat(scratch, "Copyright © 2013 Yago Jesus & Patrick Gouin\n", 1000);
strncat(scratch, "License GPLv3+ : GNU GPL version 3 or later\n", 1000);
strncat(scratch, "http://www.unhide-forensics.info\n\n", 1000);
strncat(scratch, "NOTE : This is legacy version of unhide, it is intended\n\
diff --git a/unhide-tcp.c b/unhide-tcp.c
index 4625dfc..3d3cf19 100644
--- a/unhide-tcp.c
+++ b/unhide-tcp.c
@@ -35,8 +35,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
// header
const char header[] =
- "Unhide-tcp 20121229\n"
- "Copyright © 2012 Yago Jesus & Patrick Gouin\n"
+ "Unhide-tcp 20130526\n"
+ "Copyright © 2013 Yago Jesus & Patrick Gouin\n"
"License GPLv3+ : GNU GPL version 3 or later\n"
"http://www.unhide-forensics.info\n";
@@ -44,7 +44,11 @@ const char header[] =
int verbose = 0;
int use_fuser = 0;
int use_lsof = 0;
-int use_ss = 1; // use ss by default
+#ifdef __linux__
+ int use_ss = 1; // on Linux use ss by default
+#else
+ int use_ss = 0; // else don't use ss by default
+#endif
int use_quick = 0;
char checker[10] = "ss" ;
@@ -65,30 +69,42 @@ int hidden_found;
/* thx aramosf at unsec.net for the nice regexp! */
-// Linux
-char tcpcommand1[]= "netstat -tan | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
-char udpcommand1[]= "netstat -uan | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
-
-// Alternative commands, needs iproute2
+// Default commands for Linux, needs iproute2
char tcpcommand2[]= "ss -tan sport = :%d | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
char udpcommand2[]= "ss -uan sport = :%d | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
// fuser commands
-char fuserTCPcommand[]= "fuser -v -n tcp %d 2>&1" ;
-char fuserUDPcommand[]= "fuser -v -n udp %d 2>&1" ;
+// for FreeBSD, use sockstat as fuser equivalent.
+#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ // FreeBSD
+ char fuserTCPcommand[]= "sockstat -46 -p %d -P tcp" ;
+ char fuserUDPcommand[]= "sockstat -46 -p %d -P udp" ;
+#else
+ char fuserTCPcommand[]= "fuser -v -n tcp %d 2>&1" ;
+ char fuserUDPcommand[]= "fuser -v -n udp %d 2>&1" ;
+#endif
// lsof commands
char lsofTCPcommand[]= "lsof +c 0 -iTCP:%d" ;
char lsofUDPcommand[]= "lsof +c 0 -iUDP:%d" ;
-// OpenBSD
-// char tcpcommand[]= "netstat -an -p tcp | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
-// char udpcommand[]= "netstat -an -p udp| sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
-
-
-// Solaris
-// char tcpcommand[]= "netstat -an -P tcp | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
-// char udpcommand[]= "netstat -an -P udp| sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+#ifdef __OpenBSD__
+ // OpenBSD
+ char tcpcommand1[]= "netstat -an -p tcp | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+ char udpcommand1[]= "netstat -an -p udp| sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ // FreeBSD
+ char tcpcommand1[]= "netstat -an -p tcp | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+ char udpcommand1[]= "netstat -an -p udp| sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+#elif (defined(sun) || defined(__sun)) && (defined(__SVR4) || defined(__svr4__))
+ // Solaris
+ char tcpcommand1[]= "netstat -an -P tcp | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+ char udpcommand1[]= "netstat -an -P udp| sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+#else
+ // Linux / default
+ char tcpcommand1[]= "netstat -tan | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+ char udpcommand1[]= "netstat -uan | sed -e '/[\\.:][0-9]/!d' -e 's/.*[\\.:]\\([0-9]*\\) .*[\\.:].*/\\1/'" ;
+#endif
@@ -128,11 +144,19 @@ void print_port(enum Proto proto, int port)
{
if (TCP == proto)
{
+#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ print_info("sockstat", fuserTCPcommand, port);
+#else
print_info("fuser", fuserTCPcommand, port);
+#endif
}
else
{
+#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ print_info("sockstat", fuserUDPcommand, port);
+#else
print_info("fuser", fuserUDPcommand, port);
+#endif
}
}
if (1 == use_lsof)
diff --git a/unhide_rb.c b/unhide_rb.c
index 64a990f..76f846f 100644
--- a/unhide_rb.c
+++ b/unhide_rb.c
@@ -483,9 +483,9 @@ int main (int argc, char *argv[])
int found_something = FALSE ;
int phase1_ko = FALSE ;
- strncpy(scratch,"Unhide_rb 20121229\n", 1000) ;
+ strncpy(scratch,"Unhide_rb 20130526\n", 1000) ;
- strncat(scratch, "Copyright © 2012 Yago Jesus & Patrick Gouin\n", 1000);
+ strncat(scratch, "Copyright © 2013 Yago Jesus & Patrick Gouin\n", 1000);
strncat(scratch, "License GPLv3+ : GNU GPL version 3 or later\n", 1000);
strncat(scratch, "http://www.unhide-forensics.info\n\n", 1000);
strncat(scratch, "NOTE : This version of unhide_rb is for systems using Linux >= 2.6 \n\n", 1000);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/unhide.git
More information about the forensics-changes
mailing list