1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
11 #include <sys/types.h>
12 #include <sys/socket.h>
13 #include <sys/ioctl.h>
22 #include <sys/sockio.h>
25 #include "headers/debug_op.h"
26 #include "headers/defs.h"
27 #include "rootcheck.h"
30 #define IFCONFIG "ifconfig %s | grep PROMISC > /dev/null 2>&1"
34 static int run_ifconfig(const char *ifconfig);
37 /* Execute the ifconfig command
38 * Returns 1 if the interface is in promiscuous mode
40 static int run_ifconfig(const char *ifconfig)
42 char nt[OS_SIZE_1024 + 1];
44 snprintf(nt, OS_SIZE_1024, IFCONFIG, ifconfig);
45 if (system(nt) == 0) {
52 /* Check all interfaces for promiscuous mode */
55 int _fd, _errors = 0, _total = 0;
56 struct ifreq tmp_str[16];
63 _fd = socket(AF_INET, SOCK_DGRAM, 0);
65 merror("%s: Error checking interfaces (socket)", ARGV0);
69 memset(tmp_str, 0, sizeof(struct ifreq) * 16);
70 _if.ifc_len = sizeof(tmp_str);
71 _if.ifc_buf = (caddr_t)(tmp_str);
73 if (ioctl(_fd, SIOCGIFCONF, &_if) < 0) {
75 merror("%s: Error checking interfaces (ioctl)", ARGV0);
79 _ifend = (struct ifreq *) (void *) ((char *)tmp_str + _if.ifc_len);
82 /* Loop over all interfaces */
83 for (; _ir < _ifend; _ir++) {
84 strncpy(_ifr.ifr_name, _ir->ifr_name, sizeof(_ifr.ifr_name));
86 /* Get information from each interface */
87 if (ioctl(_fd, SIOCGIFFLAGS, (char *)&_ifr) == -1) {
93 if ((_ifr.ifr_flags & IFF_PROMISC) ) {
94 char op_msg[OS_SIZE_1024 + 1];
95 if (run_ifconfig(_ifr.ifr_name)) {
96 snprintf(op_msg, OS_SIZE_1024, "Interface '%s' in promiscuous"
97 " mode.", _ifr.ifr_name);
98 notify_rk(ALERT_SYSTEM_CRIT, op_msg);
100 snprintf(op_msg, OS_SIZE_1024, "Interface '%s' in promiscuous"
101 " mode, but ifconfig is not showing it"
102 "(probably trojaned).", _ifr.ifr_name);
103 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
111 char op_msg[OS_SIZE_1024 + 1];
112 snprintf(op_msg, OS_SIZE_1024, "No problem detected on ifconfig/ifs."
113 " Analyzed %d interfaces.", _total);
114 notify_rk(ALERT_OK, op_msg);
122 /* Not implemented on Windows */