eth0 promiscuous mode?
 

i was looking over my security logs and noticed this-

Aug 21 04:05:00 cerberus : Security warning : eth0 is in promiscuous mode.
Aug 21 04:05:00 cerberus : A sniffer is probably running on your system.

would this be me, or someone else?
if someone else, how do i make it so that my eth isn't in prom mode?
should i set up my snort to look at who might be wanting to hack me. *

i also noticed a couple of ip's that someone is trying to get into me as root. i've sent emails to the whois contacts that came up saying to leave me alone and that they might want to look at who is trying to do this. but since they are in different countries, around the world, i don't know if it has done much good.

any ideas?

thanks.

edit: * sorry i should have said crack me.

I wouldn't be concerned about foreign IPs trying to get root on a public machine without evidence that the login was successful. If you run a public machine inevitably somebody will probe it to see if it's a soft target. If a packet sniffer is actually being run without your knowledge, then that might be evidence.

VMWare also sets the Ethernet interface to promiscious in some cases. Otherwise it's done by either a packet sniffer or configuring the interface directly, I think. If you have any doubt that a publically-accessible box is no longer safe, then unfortunately you have to assume that it isn't.

Try posting to the Security forum or a more specialised site for some expert advice, and please don't hesitate to disconnect the box.

Packet sniffers are particularly bad news - any data that wasn't passed in encrypted form has potentially been taken. For safety any passwords that have gone over the network to any destination (including remote Websites) would need to changed.

thanks.

your thought on vmware, makes me think that my vnc is probably what is doing it. nothing was excepted on the attempts, so i'm not really worried in the sence to unplug, but it was just annoying to see the root attempts along with about 5 other common names.

no passwords are sent plaintext. only through ssh tunnels.

i did run an nmap with a couple of differing options to see some things. it says 'good luck!' on the security option. so i would think that it's ok.

thanks for your reply.
cheers.

You should absolutely be concerned if you're seeing that message and aren't running any apps that might use promiscuous mode. Something like tcpdump or Snort will nomally run in promiscuous mode and would generate that message. Take a look at the list of currently running process and see if you see anything that might be a)causing a false alarm or b)looks abnormal. You might want to download and run a scan with chkrootkit or rootkit hunter as well. I don't believe VNC would generate such a message; it should just run as a standard daemon listening on tcp port.

I don't think that VNC would set promiscious mode either. VMWare does clever stuff to set up networking between the virtual machines and the host machine, but regular apps and services don't change the interface mode.

capt
did the chkrootkit, says that nothing is deleted, yet this is only the first time that i have ran it. don't know if that makes a difference of not though.

i took a look at ps ax
that only things that i can see that might be keeping me promiscuous are-
prelude, snort variant
portmap, and
squid.

from what i have read, i would think out of those that it's squid. i'm probably wrong though. i get the security checks sent to me each day, this was the first time that i looked thoroughly at it. i just looked at it again today, and the world writable files that i found, i changed yesterday, yet they are still coming up once more. so i'm not sure what's up. i did a diff on them and they are different. yet it doesn't make sense that some of the files that are showing up are ones that i know have been altered since install, but haven't in a month.

????

Snort will put the interface in promiscuous mode. I don't know what you mean by Snort variant, but I'm assuming it runs in a similar manner to Snort. Squid shouldn't listen in promiscuos mode.

With regards to the chkrootkit output, what was the ouptut from the "checking sniffer" test? You can just do this if you are unsure: ./chkrootkit -q sniffer

Could you also post the output of: ip link show eth0

nothing for the chkrootkit
and the other does show promisc.

[root@cerberus chad]# chkrootkit -q sniffer
[root@cerberus chad]# ip link show eth0
2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:50:a8:3d brd ff:ff:ff:ff:ff:ff

http://www.prelude-ids.org/

how do i get rid of the promisc? and then is it bad? i'll do some reading on it if i can find anything.

thanks.

Ok, Prelude includes a packet sniffer for detecting malicious traffic. In order to sniff traffic, prelude and similar apps like snort, put the interface in promiscuous mode. So seeing the "eth0 is in promiscuous mode" message is to be expected and isn't "bad" by any means (it's just a normal part of how those apps work). You can test this quite easily by stopping prelude and any of it's processes and then re-running the 'ip link show eth0' command again. You should see the PROMISC flag dissappear.

ok, i'll give it a shot and play around some with it.

thanks for the advice, i appreciate it.
cheers.