Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

device eth0 entered promiscuous mode

1,632 views
Skip to first unread message

Robert McIntosh

unread,
Sep 25, 2003, 2:29:48 PM9/25/03
to
Hi,

I'm running RH 9 (2.4.20-8). Today I noticed in dmesg that the NIC entered
promiscuous mode, but I'm unsure when it entered promiscuous mode.

device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode

These all occured in succesion. To my knowledege, no-one used tcpdump,
ethereal, etc. The NIC is using the Intel PRO/100 Network Driver

I presume this is abnormal and of concern. Trying to be sure this is not a
normal boot-up process in RH 9.

Thanks for you help!
Robert


David

unread,
Sep 25, 2003, 2:52:03 PM9/25/03
to

It can be a sign of a "sniffer" but don't go doing a reinstall yet.

Have you run chkrootkit on the system?
Does the system have a firewall on it?
Has the system been kept up2date with all security updates?
Does the system run any services (web,mail,ftp,etc..)servers

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.22 i686 (GCC) 3.3
Uptime: 17:17, 1 user, load average: 0.16, 0.31, 0.34

Robert McIntosh

unread,
Sep 25, 2003, 3:43:12 PM9/25/03
to
> Have you run chkrootkit on the system?
chkrootkit finds nothing abnormal (but it's freshly installed)

> Does the system have a firewall on it?

We have a firewall in front of this system. The firewall is disabled on the
RH box.

> Has the system been kept up2date with all security updates?

That are applicable to services we're running. Typically once per every two
weeks a check is made for updates.

> Does the system run any services (web,mail,ftp,etc..)servers

External to our LAN the machine in question is a web (apache + mod ssl)
server and mail (qmail + cucipop) server. Internally SSH and FTP are
available as well.


"David" <thunde...@netscape.net> wrote in message
news:nPGcb.577882$Ho3.107002@sccrnsc03...

David

unread,
Sep 25, 2003, 4:14:04 PM9/25/03
to
Robert McIntosh wrote:
>>Have you run chkrootkit on the system?
>
> chkrootkit finds nothing abnormal (but it's freshly installed)

If it is a new install I doubt it has been cracked.

>>Does the system have a firewall on it?
>
> We have a firewall in front of this system. The firewall is disabled on the
> RH box.

So it has some protection. Making a crack less likely.

>>Has the system been kept up2date with all security updates?
>
> That are applicable to services we're running. Typically once per every two
> weeks a check is made for updates.

It is kept updated fairly regular. Making a crack less likely.

>>Does the system run any services (web,mail,ftp,etc..)servers
>
> External to our LAN the machine in question is a web (apache + mod ssl)
> server and mail (qmail + cucipop) server. Internally SSH and FTP are
> available as well.

Ok, did chkrootkit show anything in promiscuous mode?

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.22 i686 (GCC) 3.3

Uptime: 18:32, 1 user, load average: 0.37, 0.32, 0.28

/dev/rob0

unread,
Sep 25, 2003, 4:13:55 PM9/25/03
to
In article <nPGcb.577882$Ho3.107002@sccrnsc03>, David wrote:

> Robert McIntosh wrote:
>> I'm running RH 9 (2.4.20-8). Today I noticed in dmesg that the NIC entered
>> promiscuous mode, but I'm unsure when it entered promiscuous mode.
>
> It can be a sign of a "sniffer" but don't go doing a reinstall yet.

True.

> Have you run chkrootkit on the system?

IMHO: waste of time. I'd bet Euros to Eucalyptus leaves that it was
something Robert did.

Robert: check the log files to find out when the promiscuity happened.
What were you doing at the time?

> Does the system have a firewall on it?
> Has the system been kept up2date with all security updates?
> Does the system run any services (web,mail,ftp,etc..)servers

Yes, the proper answers to these questions will mean that a compromise
is highly improbable.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Robert

unread,
Sep 26, 2003, 1:25:40 AM9/26/03
to
Thanks for everyone's thoughts.

I reviewed the logs and it was from my account and my usual IP address
during a time that I am normally in the office. Strange that I can't recall
more of the occasion of why I decided to go into promiscuous mode. Must've
just been feeling saucy ;^)

Never the less, I'll change my password and cron chkrootkit, and create a
script to monitor when/if the NIC goes into promiscuous mode.

Again thanks - /dev/rob0 you appear to have been correct.

-Robert

"/dev/rob0" <ro...@gmx.co.uk> wrote in message
news:slrnbn6j4...@ns.linux.box...

Harky

unread,
Sep 27, 2003, 2:04:06 AM9/27/03
to
"Robert" wrote...

> I reviewed the logs and it was from my account and my usual IP address
> during a time that I am normally in the office. Strange that I can't
recall
> more of the occasion of why I decided to go into promiscuous mode.
<snip>

I believe arpwatch also goes into prom mode. Perhaps you ran that?

Dann

0 new messages