LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   device eth0 entered promiscuous mode (http://www.linuxquestions.org/questions/linux-networking-3/device-eth0-entered-promiscuous-mode-150818/)

complus 02-26-2004 12:51 PM

device eth0 entered promiscuous mode
 
I am having a serious help and would really appreciate some help!!

I am not entirely sure why but this morning I went to connect to my server, but the connection would go through. I went into the server room and it appeared to have crashed! I couldn't do anything to get back to the command prompt, so I rebooted my server.

It took me about 2 hours just to get the thing back up. It mostly hung on bringing up loopback device, but occasionally hung at various other points. It was nearly impossible for me to get into interactive startup mode because for some reason when I hit the "I" key at the prompt Linux wasn't detecting it. I started the server up without network and without netfs and finally got to a login prompt.

I checked dmesg and the only thing that looked 'abnormal' was the line that I put as the subject "device eth0 has entered promiscuos mode".

When I run 'ifup' lo it hangs and I have to control+C to get back to the prompt, but when I run ifconfig the loopback interface is up. The same thing happens when I try to bring up eth0... but I still can't ping out and nothing can ping in. My guess is that I have a hardware issue going on - so my first reaction is to change the server over to use the second NIC card. But it won't let me!!

I edited /etc/sysconfig/network-scripts/ifcfg-eth0 to not start on boot, and removed all IP address information, which I added to the ifcfg-eth1 file. But the same thing happens when I try to start eth1. I tried using 'netconfig' but that defaults to configuring eth0....

Any suggestions of what can be happening, or whatother steps I can take? This is extremely urgent, so I really appreciate some help... fast.. :confused:

jxi 02-26-2004 01:21 PM

just a few things (i'm by no means a network expert)
1. Promiscious mode just means the card is listening to /receiving all packets that happen to be on the line at that moment. As opposed to those with your ip as the destination. Not abnormal during bootup, AFAIK.

2. instead of ifup / ifdown use the long format just in case there's some problem with those scripts. e.g.
# ifconfig eth0 up

3. post the output of
# ifconfig
i probably won't be able to analyze it fully but someone may.

4. What is your firewall? is it on that client box or only on the server? What is the output of
# iptables-save

5. Please identify other stuff like distro, hardware, kernel version, et al.

HTH somewhat

complus 02-26-2004 02:17 PM

jxi thanks for replying!! Ok I've done some digging and found some more info... but first to answer your questions...

Quote:

instead of ifup / ifdown use the long format just in case there's some problem with those scripts. e.g.
# ifconfig eth0 up
Tried it - it's not the script... I think it's a hardware conflict...
Quote:

What is your firewall? is it on that client box or only on the server? What is the output of
# iptables-save
Firewall is cisco pix - not using iptables.
Quote:

Please identify other stuff like distro, hardware, kernel version, et al.
RH Linux 7.3, kernel version 2.4.18-3... running on a Dell PowerEdge 1650 - I had no choice in this choice but I am convinced this type of server is part of the problem...

Quote:

post the output of
# ifconfig
I can't get it directly from the server so I'll transcribe it here:

lo Link encap:local Loopback
inet addr:127.0.0.1 Mask 255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric 1
RX packets: 16 errors:0 dropped:0 overruns:0 frames:0
TX packets: 16 errors:0 dropped:0 overruns:0 carrier:0
collisons: 0 txqueuelen:0
RX bytes:1344(1.3Kb) TX bytes 1344(1.3Kb)

eth1 Link encap:Ethernet HWaddr:00:06:5B:18:D8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric 1
RX packets: 10 errors:0 dropped:0 overruns:0 frames:0
TX packets: 0 errors:0 dropped:0 overruns:0 carrier:0
collisons: 0 txqueuelen:0
RX bytes:1206(1.1Kb) TX bytes 0(0.0Kb)
Interrupt:5 Memory:0xfeb20000-0xfeb40000

eth1 Link encap:Ethernet HWaddr:00:06:5B:18:D8
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric 1
RX packets: 0 errors:0 dropped:0 overruns:0 frames:0
TX packets: 0 errors:0 dropped:0 overruns:0 carrier:0
collisons: 0 txqueuelen:0
RX bytes:0(0.0Kb) TX bytes 0(0.0Kb)
Interrupt:7 Memory:0xfeb60000-0xfeb80000

Notice I had both NIC cards configured with an IP address, yet neither show IP addresses here. When I check the ifcfg files, the IP, NETMASK, and GATEWAY are all there.

So after reading the forums I see to check /proc/pci for any conflicts. Wouldn't you know... for some reason my tape back up drive is listed here twice. AND the second entry is using the same IRQ as eth0. ANd this second entry is trying to access the memory for eth0. So I need to figure out how to resolve that conflict.

So I removed all network info from eth0, and decided to use eth2 since there are no conflicts. I configured ifcfg-eth1 like the following:

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=X.X.X.217
NETMASK=255.255.255.0
GATEWAY=X.X.X.1

The ifconfig output for eth1 is still the same - no IP address listed. I try to ping outsite I get Network unreachable. I add the default gateway to the route and get SIOCADDRT:Network is unreachable...

:scratch:

complus 02-26-2004 03:40 PM

Just calling out for help again... I'm seriously trying to avoid reinstalling the OS and software...

I also get a Segmentation fault when I try to run ll or ls, etc.... I want to try recompiling the kernel, but will that do it?

I'm so lost right now....

jludwig 02-26-2004 03:52 PM

That the card comes up in promisc bothers me!!!!!!
-----------------------------------------------------------------------
Be warned trojans will do this.
------------------------------------------------------------------------
Also any sniffer that is on your system snort netdump iptraf ethereal etc. check carefully is you haven`t added a sniffer yourself

complus 02-26-2004 04:01 PM

Can you please advise what I should check for??

unSpawn 02-26-2004 04:33 PM

Promiscious mode just means the card is listening to /receiving all packets that happen to be on the line at that moment (...) Not abnormal during bootup, AFAIK.
Only if you *know* you're running any form of sniffer (including benign ones like tcpdump, Snort, like that).


BTW, your kernel is stale and 2.4.25 is considered the last good one incorporating all bugfixes.
An upgrade is necessary. If you don't, amke sure you know why, and take additional precautions.


ust calling out for help again... I'm seriously trying to avoid reinstalling the OS and software...
I also get a Segmentation fault when I try to run ll or ls, etc.... I want to try recompiling the kernel, but will that do it?

If you get segfaults (application trying to access memory beyond what it has "access rights" for), in combination with a network interface in promiscuous mode smells like a cracked box to me.
Any box that exhibits these symptos should be considered UNSAFE for operations.


I'm so lost right now....
1. List (and post output) your processes and network connections if you can,
2. Drop to runlevel 1 (cuts of network access and kills daemons) and rerun point 1 and notice differences, then power off the box,
3. mount the HD readonly on another box, or run a bootable CD like Knoppix, FIRE, PSK,
- compile Chkrootkit (do not use utilities from the suspected HD) and run it
- if you can, run a copy of your package management tool (do not use utilities from the suspected HD) to verify checksums
- search for setuid files in uncommon locations
- search for files in uncommon locations
- check your authentication files for added users and groups
- check your access logs
- check your system logs
- check your firewall logs
4. Please do not power on the box again before you have posted output here and give proof positive the box is clean.

jludwig 02-26-2004 04:56 PM

True but trojans also do this to locate other systems to zombie and to get open passwords on a LAN

complus 02-26-2004 05:05 PM

unspawn & jludwig - thanks for your replies

I took my box off the network, but I have already rebooted. I have also blocked the access through my firewall so nothing should be able to me my server except for me at the console.

When I booted I could not get passed the Bringing up loopback interface. I rebooted again and went through an interactive startup and did not start network services. So I am not sure my output from #1 will help...

Also, I do not have another box to mount the HD to....

I've checked access logs and there is nothing uncommon in there - only requests for my web pages, and a few requests for robot.txt. I am checking firewall logs now...

I know this is not a solution, and while I would like to find out why this all happened - my initial (newbie) response is to reformat the box, change the IP and public IP that my domain points to and start fresh... down time is a serious issue here - and until we switch over to a better machine (and HP-UX... which should happen very soon) I need to have the machine up and running....

jludwig 02-26-2004 05:23 PM

Happy to help

BTW when I first when I first set up my iptables FW I was so proud of my effort a visited a hackers web site. It took about 3 seconds for them to be in my box. It was new so I just reformatted and reinstalled.

But I learned this a secure box is a work in progress.:Pengy:

unSpawn 02-26-2004 06:21 PM

I took my box off the network, but I have already rebooted.
Hmm. Next time please think before you panic :-]
Not that you stand much of a chance of gathering information on a subverted box, but any information is useful information. Also a reboot will not fix things if you don't know what to disable first. If you positively have to run the box, then disconnect it from the network, drop to runlevel 1 and stay there.


I have also blocked the access through my firewall so nothing should be able to me my server except for me at the console.
Jludwig made an excellent point you should investigate boxen local to your networks as well. The original purpose of the subverted box doesn't matter anymore (I mean it's not an excuse to not investigate).


When I booted I could not get passed the Bringing up loopback interface. I rebooted again and went through an interactive startup and did not start network services. So I am not sure my output from #1 will help...
No, won't.


Also, I do not have another box to mount the HD to....
Then run Knoppix. If it's paramount you get the box back up, dd an image of the box out to storage for future investigation (if you're interested, that is), then use the three R's: reformat the box, repartition then reinstall from scratch (don't use backups unless you have external means of verifying the backup is untainted). do NOT make backups except for verified clean(, human readable) files. No binaries. Make sure you check out the LQ FAQ: Security references. Harden the box. (OK, that's prolly easier said than done, but we're a helpful bunch, and the Linux - Security forum is nearby).


I know this is not a solution, and while I would like to find out why this all happened - my initial (newbie) response is to reformat the box, change the IP and public IP that my domain points to and start fresh...


down time is a serious issue here
If downtime is a serious issue, tell your management that well-invested time now will save time later on.


One last note: don't mess up your priorities. A subverted box is a hazard to the whole 'net community. Good luck.

unSpawn 02-26-2004 06:26 PM

I took my box off the network, but I have already rebooted.
Hmm. Next time please think before you panic :-]
Not that you stand much of a chance of gathering information on a subverted box, but any information is useful information. Also a reboot will not fix things if you don't know what to disable first. If you positively have to run the box, then disconnect it from the network, drop to runlevel 1 and stay there.


I have also blocked the access through my firewall so nothing should be able to me my server except for me at the console.
Jludwig made an excellent point you should investigate boxen local to your networks as well. The original purpose of the subverted box doesn't matter anymore (I mean it's not an excuse to not investigate).


When I booted I could not get passed the Bringing up loopback interface. I rebooted again and went through an interactive startup and did not start network services. So I am not sure my output from #1 will help...
No, won't.


Also, I do not have another box to mount the HD to....
Then run Knoppix. If it's paramount you get the box back up, dd an image of the box out to storage for future investigation (if you're interested, that is), then use the three R's: reformat the box, repartition then reinstall from scratch (don't use backups unless you have external means of verifying the backup is untainted). do NOT make backups except for verified clean(, human readable) files. No binaries. Make sure you check out the LQ FAQ: Security references. Harden the box. (OK, that's prolly easier said than done, but we're a helpful bunch, and the Linux - Security forum is nearby).


I know this is not a solution, and while I would like to find out why this all happened - my initial (newbie) response is to reformat the box, change the IP and public IP that my domain points to and start fresh...


down time is a serious issue here
If downtime is a serious issue, tell your management that well-invested time now will save time later on.

complus 02-26-2004 06:52 PM

Thank you again for your post. You're right - I panicked - mostly because this could not have come at a worse time...

complus 02-26-2004 06:56 PM

I do have one more question - I am still on RH 7.3 but would like to upgrade to a more current version. I keep hearing people say RH is free - wierd cause we paid for ours.... Where is a good (trusted) place that I can get a copy?

Thanks :)

unSpawn 02-27-2004 01:22 AM

If you bought it, just use the CD's and upgrade (w)getting the rpm's from a mirror. Note RHL7x was EOL'ed december 2003. Yes, you can still run RHL7.x, but running it requires more work than running a current distro. If you're a newbie, and there are no application version problems, it would be good ( maintenance and thus securitywise) to switch/upgrade to a current distro.
RHL9.x will be phased out soon too.


All times are GMT -5. The time now is 10:39 AM.