Network Socket Inode Validation

Current Release:
http://www.rfxn.com/downloads/nsiv-current.tar.gz
http://www.rfxn.com/appdocs/README.nsiv
http://www.rfxn.com/appdocs/CHANGELOG.nsiv

Description:
Network socket inode validation is a rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system. The nature for this app is such that rouge binaries can easily hijack a user, program privileges, or work space; and utilize such to kill the old service & execute a new service on the known port they crashed. The best known examples of this trend is ‘tmp’ path uploaded content via php remote include exploits; which is executed, crashes the web server and starts a rouge httpd process and other such items.

A simple structure of validation is used by NSIV to verify the integrity of services on a given system. The rules system has 3 required variables; the first being a declared PORT value for which the service is known to operate on, the second is the BIN value which is simply the path to your service executed binary and the third option is the RST value which points to an init script with restart flags.

The execution cycle of NSIV is very simple, first it determines the running process ID of your binary followed by the trusted inode (that which is associated to the BIN variable).  Then, the PORT value is used to check that the binary holding said port open actually references back to the trusted inode, if it does not then we assume the service has been hijacked and the PID is killed / RST executed with optional e-mail alert dispatched.

Funding:
Funding for the continued development and research into this and other projects, is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional small donation to help ensure the future of our public projects.