1 /* @(#) $Id: check_rc_if.c,v 1.10 2009/06/24 18:53:07 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
13 #include <sys/types.h>
14 #include <sys/socket.h>
16 #include <sys/ioctl.h>
24 /* Solaris happy again */
27 #include <sys/sockio.h>
30 #include "headers/defs.h"
31 #include "headers/debug_op.h"
33 #include "rootcheck.h"
36 #define IFCONFIG "ifconfig %s | grep PROMISC > /dev/null 2>&1"
40 /* run_ifconfig: Execute the ifconfig command.
41 * Returns 1 if interface in promisc mode.
43 int run_ifconfig(char *ifconfig)
45 char nt[OS_SIZE_1024 +1];
47 snprintf(nt, OS_SIZE_1024, IFCONFIG, ifconfig);
57 * Check all interfaces for promiscuous mode
61 int _fd, _errors = 0, _total = 0;
62 struct ifreq tmp_str[16];
69 _fd = socket(AF_INET, SOCK_DGRAM, 0);
72 merror("%s: Error checking interfaces (socket)", ARGV0);
77 memset(tmp_str, 0, sizeof(struct ifreq)*16);
78 _if.ifc_len = sizeof(tmp_str);
79 _if.ifc_buf = (caddr_t)(tmp_str);
81 if (ioctl(_fd, SIOCGIFCONF, &_if) < 0)
84 merror("%s: Error checking interfaces (ioctl)", ARGV0);
88 _ifend = (struct ifreq*) ((char*)tmp_str + _if.ifc_len);
91 /* Looping on all interfaces */
92 for (; _ir < _ifend; _ir++)
94 strncpy(_ifr.ifr_name, _ir->ifr_name, sizeof(_ifr.ifr_name));
96 /* Getting information from each interface */
97 if (ioctl(_fd, SIOCGIFFLAGS, (char*)&_ifr) == -1)
105 if ((_ifr.ifr_flags & IFF_PROMISC) )
107 char op_msg[OS_SIZE_1024 +1];
108 if(run_ifconfig(_ifr.ifr_name))
110 snprintf(op_msg, OS_SIZE_1024,"Interface '%s' in promiscuous"
111 " mode.", _ifr.ifr_name);
112 notify_rk(ALERT_SYSTEM_CRIT, op_msg);
116 snprintf(op_msg, OS_SIZE_1024,"Interface '%s' in promiscuous"
117 " mode, but ifconfig is not showing it"
118 "(probably trojaned).", _ifr.ifr_name);
119 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
128 char op_msg[OS_SIZE_1024 +1];
129 snprintf(op_msg, OS_SIZE_1024, "No problem detected on ifconfig/ifs."
130 " Analyzed %d interfaces.", _total);
131 notify_rk(ALERT_OK, op_msg);