1 /* @(#) $Id: ./src/rootcheck/check_rc_if.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
14 #include <sys/types.h>
15 #include <sys/socket.h>
17 #include <sys/ioctl.h>
25 /* Solaris happy again */
28 #include <sys/sockio.h>
31 #include "headers/defs.h"
32 #include "headers/debug_op.h"
34 #include "rootcheck.h"
37 #define IFCONFIG "ifconfig %s | grep PROMISC > /dev/null 2>&1"
41 /* run_ifconfig: Execute the ifconfig command.
42 * Returns 1 if interface in promisc mode.
44 int run_ifconfig(char *ifconfig)
46 char nt[OS_SIZE_1024 +1];
48 snprintf(nt, OS_SIZE_1024, IFCONFIG, ifconfig);
58 * Check all interfaces for promiscuous mode
62 int _fd, _errors = 0, _total = 0;
63 struct ifreq tmp_str[16];
70 _fd = socket(AF_INET, SOCK_DGRAM, 0);
73 merror("%s: Error checking interfaces (socket)", ARGV0);
78 memset(tmp_str, 0, sizeof(struct ifreq)*16);
79 _if.ifc_len = sizeof(tmp_str);
80 _if.ifc_buf = (caddr_t)(tmp_str);
82 if (ioctl(_fd, SIOCGIFCONF, &_if) < 0)
85 merror("%s: Error checking interfaces (ioctl)", ARGV0);
89 _ifend = (struct ifreq*) ((char*)tmp_str + _if.ifc_len);
92 /* Looping on all interfaces */
93 for (; _ir < _ifend; _ir++)
95 strncpy(_ifr.ifr_name, _ir->ifr_name, sizeof(_ifr.ifr_name));
97 /* Getting information from each interface */
98 if (ioctl(_fd, SIOCGIFFLAGS, (char*)&_ifr) == -1)
106 if ((_ifr.ifr_flags & IFF_PROMISC) )
108 char op_msg[OS_SIZE_1024 +1];
109 if(run_ifconfig(_ifr.ifr_name))
111 snprintf(op_msg, OS_SIZE_1024,"Interface '%s' in promiscuous"
112 " mode.", _ifr.ifr_name);
113 notify_rk(ALERT_SYSTEM_CRIT, op_msg);
117 snprintf(op_msg, OS_SIZE_1024,"Interface '%s' in promiscuous"
118 " mode, but ifconfig is not showing it"
119 "(probably trojaned).", _ifr.ifr_name);
120 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
129 char op_msg[OS_SIZE_1024 +1];
130 snprintf(op_msg, OS_SIZE_1024, "No problem detected on ifconfig/ifs."
131 " Analyzed %d interfaces.", _total);
132 notify_rk(ALERT_OK, op_msg);