LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-26-2004, 12:51 PM   #1
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Rep: Reputation: 15
Unhappy device eth0 entered promiscuous mode


I am having a serious help and would really appreciate some help!!

I am not entirely sure why but this morning I went to connect to my server, but the connection would go through. I went into the server room and it appeared to have crashed! I couldn't do anything to get back to the command prompt, so I rebooted my server.

It took me about 2 hours just to get the thing back up. It mostly hung on bringing up loopback device, but occasionally hung at various other points. It was nearly impossible for me to get into interactive startup mode because for some reason when I hit the "I" key at the prompt Linux wasn't detecting it. I started the server up without network and without netfs and finally got to a login prompt.

I checked dmesg and the only thing that looked 'abnormal' was the line that I put as the subject "device eth0 has entered promiscuos mode".

When I run 'ifup' lo it hangs and I have to control+C to get back to the prompt, but when I run ifconfig the loopback interface is up. The same thing happens when I try to bring up eth0... but I still can't ping out and nothing can ping in. My guess is that I have a hardware issue going on - so my first reaction is to change the server over to use the second NIC card. But it won't let me!!

I edited /etc/sysconfig/network-scripts/ifcfg-eth0 to not start on boot, and removed all IP address information, which I added to the ifcfg-eth1 file. But the same thing happens when I try to start eth1. I tried using 'netconfig' but that defaults to configuring eth0....

Any suggestions of what can be happening, or whatother steps I can take? This is extremely urgent, so I really appreciate some help... fast..
 
Old 02-26-2004, 01:21 PM   #2
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Rep: Reputation: 15
just a few things (i'm by no means a network expert)
1. Promiscious mode just means the card is listening to /receiving all packets that happen to be on the line at that moment. As opposed to those with your ip as the destination. Not abnormal during bootup, AFAIK.

2. instead of ifup / ifdown use the long format just in case there's some problem with those scripts. e.g.
# ifconfig eth0 up

3. post the output of
# ifconfig
i probably won't be able to analyze it fully but someone may.

4. What is your firewall? is it on that client box or only on the server? What is the output of
# iptables-save

5. Please identify other stuff like distro, hardware, kernel version, et al.

HTH somewhat
 
Old 02-26-2004, 02:17 PM   #3
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Original Poster
Rep: Reputation: 15
jxi thanks for replying!! Ok I've done some digging and found some more info... but first to answer your questions...

Quote:
instead of ifup / ifdown use the long format just in case there's some problem with those scripts. e.g.
# ifconfig eth0 up
Tried it - it's not the script... I think it's a hardware conflict...
Quote:
What is your firewall? is it on that client box or only on the server? What is the output of
# iptables-save
Firewall is cisco pix - not using iptables.
Quote:
Please identify other stuff like distro, hardware, kernel version, et al.
RH Linux 7.3, kernel version 2.4.18-3... running on a Dell PowerEdge 1650 - I had no choice in this choice but I am convinced this type of server is part of the problem...

Quote:
post the output of
# ifconfig
I can't get it directly from the server so I'll transcribe it here:

lo Link encap:local Loopback
inet addr:127.0.0.1 Mask 255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric 1
RX packets: 16 errors:0 dropped:0 overruns:0 frames:0
TX packets: 16 errors:0 dropped:0 overruns:0 carrier:0
collisons: 0 txqueuelen:0
RX bytes:1344(1.3Kb) TX bytes 1344(1.3Kb)

eth1 Link encap:Ethernet HWaddr:00:06:5B:188
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric 1
RX packets: 10 errors:0 dropped:0 overruns:0 frames:0
TX packets: 0 errors:0 dropped:0 overruns:0 carrier:0
collisons: 0 txqueuelen:0
RX bytes:1206(1.1Kb) TX bytes 0(0.0Kb)
Interrupt:5 Memory:0xfeb20000-0xfeb40000

eth1 Link encap:Ethernet HWaddr:00:06:5B:188
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric 1
RX packets: 0 errors:0 dropped:0 overruns:0 frames:0
TX packets: 0 errors:0 dropped:0 overruns:0 carrier:0
collisons: 0 txqueuelen:0
RX bytes:0(0.0Kb) TX bytes 0(0.0Kb)
Interrupt:7 Memory:0xfeb60000-0xfeb80000

Notice I had both NIC cards configured with an IP address, yet neither show IP addresses here. When I check the ifcfg files, the IP, NETMASK, and GATEWAY are all there.

So after reading the forums I see to check /proc/pci for any conflicts. Wouldn't you know... for some reason my tape back up drive is listed here twice. AND the second entry is using the same IRQ as eth0. ANd this second entry is trying to access the memory for eth0. So I need to figure out how to resolve that conflict.

So I removed all network info from eth0, and decided to use eth2 since there are no conflicts. I configured ifcfg-eth1 like the following:

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=X.X.X.217
NETMASK=255.255.255.0
GATEWAY=X.X.X.1

The ifconfig output for eth1 is still the same - no IP address listed. I try to ping outsite I get Network unreachable. I add the default gateway to the route and get SIOCADDRT:Network is unreachable...

 
Old 02-26-2004, 03:40 PM   #4
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Original Poster
Rep: Reputation: 15
Just calling out for help again... I'm seriously trying to avoid reinstalling the OS and software...

I also get a Segmentation fault when I try to run ll or ls, etc.... I want to try recompiling the kernel, but will that do it?

I'm so lost right now....
 
Old 02-26-2004, 03:52 PM   #5
jludwig
Member
 
Registered: Feb 2004
Distribution: FC6
Posts: 32

Rep: Reputation: 15
That the card comes up in promisc bothers me!!!!!!
-----------------------------------------------------------------------
Be warned trojans will do this.
------------------------------------------------------------------------
Also any sniffer that is on your system snort netdump iptraf ethereal etc. check carefully is you haven`t added a sniffer yourself
 
Old 02-26-2004, 04:01 PM   #6
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Original Poster
Rep: Reputation: 15
Can you please advise what I should check for??
 
Old 02-26-2004, 04:33 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Promiscious mode just means the card is listening to /receiving all packets that happen to be on the line at that moment (...) Not abnormal during bootup, AFAIK.
Only if you *know* you're running any form of sniffer (including benign ones like tcpdump, Snort, like that).


BTW, your kernel is stale and 2.4.25 is considered the last good one incorporating all bugfixes.
An upgrade is necessary. If you don't, amke sure you know why, and take additional precautions.


ust calling out for help again... I'm seriously trying to avoid reinstalling the OS and software...
I also get a Segmentation fault when I try to run ll or ls, etc.... I want to try recompiling the kernel, but will that do it?

If you get segfaults (application trying to access memory beyond what it has "access rights" for), in combination with a network interface in promiscuous mode smells like a cracked box to me.
Any box that exhibits these symptos should be considered UNSAFE for operations.


I'm so lost right now....
1. List (and post output) your processes and network connections if you can,
2. Drop to runlevel 1 (cuts of network access and kills daemons) and rerun point 1 and notice differences, then power off the box,
3. mount the HD readonly on another box, or run a bootable CD like Knoppix, FIRE, PSK,
- compile Chkrootkit (do not use utilities from the suspected HD) and run it
- if you can, run a copy of your package management tool (do not use utilities from the suspected HD) to verify checksums
- search for setuid files in uncommon locations
- search for files in uncommon locations
- check your authentication files for added users and groups
- check your access logs
- check your system logs
- check your firewall logs
4. Please do not power on the box again before you have posted output here and give proof positive the box is clean.

Last edited by unSpawn; 02-26-2004 at 04:40 PM.
 
Old 02-26-2004, 04:56 PM   #8
jludwig
Member
 
Registered: Feb 2004
Distribution: FC6
Posts: 32

Rep: Reputation: 15
True but trojans also do this to locate other systems to zombie and to get open passwords on a LAN
 
Old 02-26-2004, 05:05 PM   #9
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Original Poster
Rep: Reputation: 15
unspawn & jludwig - thanks for your replies

I took my box off the network, but I have already rebooted. I have also blocked the access through my firewall so nothing should be able to me my server except for me at the console.

When I booted I could not get passed the Bringing up loopback interface. I rebooted again and went through an interactive startup and did not start network services. So I am not sure my output from #1 will help...

Also, I do not have another box to mount the HD to....

I've checked access logs and there is nothing uncommon in there - only requests for my web pages, and a few requests for robot.txt. I am checking firewall logs now...

I know this is not a solution, and while I would like to find out why this all happened - my initial (newbie) response is to reformat the box, change the IP and public IP that my domain points to and start fresh... down time is a serious issue here - and until we switch over to a better machine (and HP-UX... which should happen very soon) I need to have the machine up and running....
 
Old 02-26-2004, 05:23 PM   #10
jludwig
Member
 
Registered: Feb 2004
Distribution: FC6
Posts: 32

Rep: Reputation: 15
Happy to help

BTW when I first when I first set up my iptables FW I was so proud of my effort a visited a hackers web site. It took about 3 seconds for them to be in my box. It was new so I just reformatted and reinstalled.

But I learned this a secure box is a work in progress.
 
Old 02-26-2004, 06:21 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I took my box off the network, but I have already rebooted.
Hmm. Next time please think before you panic :-]
Not that you stand much of a chance of gathering information on a subverted box, but any information is useful information. Also a reboot will not fix things if you don't know what to disable first. If you positively have to run the box, then disconnect it from the network, drop to runlevel 1 and stay there.


I have also blocked the access through my firewall so nothing should be able to me my server except for me at the console.
Jludwig made an excellent point you should investigate boxen local to your networks as well. The original purpose of the subverted box doesn't matter anymore (I mean it's not an excuse to not investigate).


When I booted I could not get passed the Bringing up loopback interface. I rebooted again and went through an interactive startup and did not start network services. So I am not sure my output from #1 will help...
No, won't.


Also, I do not have another box to mount the HD to....
Then run Knoppix. If it's paramount you get the box back up, dd an image of the box out to storage for future investigation (if you're interested, that is), then use the three R's: reformat the box, repartition then reinstall from scratch (don't use backups unless you have external means of verifying the backup is untainted). do NOT make backups except for verified clean(, human readable) files. No binaries. Make sure you check out the LQ FAQ: Security references. Harden the box. (OK, that's prolly easier said than done, but we're a helpful bunch, and the Linux - Security forum is nearby).


I know this is not a solution, and while I would like to find out why this all happened - my initial (newbie) response is to reformat the box, change the IP and public IP that my domain points to and start fresh...


down time is a serious issue here
If downtime is a serious issue, tell your management that well-invested time now will save time later on.


One last note: don't mess up your priorities. A subverted box is a hazard to the whole 'net community. Good luck.
 
Old 02-26-2004, 06:26 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I took my box off the network, but I have already rebooted.
Hmm. Next time please think before you panic :-]
Not that you stand much of a chance of gathering information on a subverted box, but any information is useful information. Also a reboot will not fix things if you don't know what to disable first. If you positively have to run the box, then disconnect it from the network, drop to runlevel 1 and stay there.


I have also blocked the access through my firewall so nothing should be able to me my server except for me at the console.
Jludwig made an excellent point you should investigate boxen local to your networks as well. The original purpose of the subverted box doesn't matter anymore (I mean it's not an excuse to not investigate).


When I booted I could not get passed the Bringing up loopback interface. I rebooted again and went through an interactive startup and did not start network services. So I am not sure my output from #1 will help...
No, won't.


Also, I do not have another box to mount the HD to....
Then run Knoppix. If it's paramount you get the box back up, dd an image of the box out to storage for future investigation (if you're interested, that is), then use the three R's: reformat the box, repartition then reinstall from scratch (don't use backups unless you have external means of verifying the backup is untainted). do NOT make backups except for verified clean(, human readable) files. No binaries. Make sure you check out the LQ FAQ: Security references. Harden the box. (OK, that's prolly easier said than done, but we're a helpful bunch, and the Linux - Security forum is nearby).


I know this is not a solution, and while I would like to find out why this all happened - my initial (newbie) response is to reformat the box, change the IP and public IP that my domain points to and start fresh...


down time is a serious issue here
If downtime is a serious issue, tell your management that well-invested time now will save time later on.
 
Old 02-26-2004, 06:52 PM   #13
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Original Poster
Rep: Reputation: 15
Thank you again for your post. You're right - I panicked - mostly because this could not have come at a worse time...
 
Old 02-26-2004, 06:56 PM   #14
complus
Member
 
Registered: Aug 2003
Distribution: Red Hat 9
Posts: 76

Original Poster
Rep: Reputation: 15
I do have one more question - I am still on RH 7.3 but would like to upgrade to a more current version. I keep hearing people say RH is free - wierd cause we paid for ours.... Where is a good (trusted) place that I can get a copy?

Thanks
 
Old 02-27-2004, 01:22 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
If you bought it, just use the CD's and upgrade (w)getting the rpm's from a mirror. Note RHL7x was EOL'ed december 2003. Yes, you can still run RHL7.x, but running it requires more work than running a current distro. If you're a newbie, and there are no application version problems, it would be good ( maintenance and thus securitywise) to switch/upgrade to a current distro.
RHL9.x will be phased out soon too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
eth0 promiscuous mode? emetib Linux - Networking 9 08-26-2004 06:51 PM
device eth0 entered prominous mode & modprobe:pppt0 Module can't find out !! AZIMBD03 Linux - Hardware 0 06-01-2004 02:08 AM
Eth0 : Promiscuous mode enabled singhrishi Linux - Software 1 10-10-2003 01:24 PM
Eth0 : Promiscuous mode enabled singhrishi Linux - Networking 0 10-10-2003 07:10 AM
eth0 promiscuous mode susx Linux - Networking 11 09-22-2001 12:39 AM


All times are GMT -5. The time now is 10:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration