NSIV (rfxnetwork) - anyone using it ?


Well-Known Member
Mar 14, 2003
NSIV at r-fx.org - anyone using this program ?

Here's what it does:

Network socket inode validation is a rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system. The nature for this app is such that rouge binaries can easily hijack a user, program privileges, or work space; and utilize such to kill the old service & execute a new service on the known port they crashed.

The best known examples of this trend is 'tmp' path uploaded content via php remote include exploits; which is executed, crashes the web server and starts a rouge httpd process and other such items.

A simple structure of validation is used by NSIV to verify the integrity of services on a given system. The rules system has 3 required variables; the first being a declared PORT value for which the service is known to operate on, the second is the BIN value which is simply the path to your service executed binary and the third option is the RST value which points to an init script or similar - and must include restart flag or similar.

There-after NSIV determines the running PID of your BIN; the current inode of your BIN followed by the current inode that is binding your declared PORT for such service. If the listening inode differs from that of the BIN inode value then we assume the service has been hijacked or similar and the PID is killed and RST executed.