LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-22-2004, 12:58 PM   #1
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
eth0 promiscuous mode?


i was looking over my security logs and noticed this-

Aug 21 04:05:00 cerberus : Security warning : eth0 is in promiscuous mode.
Aug 21 04:05:00 cerberus : A sniffer is probably running on your system.

would this be me, or someone else?
if someone else, how do i make it so that my eth isn't in prom mode?
should i set up my snort to look at who might be wanting to hack me. *

i also noticed a couple of ip's that someone is trying to get into me as root. i've sent emails to the whois contacts that came up saying to leave me alone and that they might want to look at who is trying to do this. but since they are in different countries, around the world, i don't know if it has done much good.

any ideas?

thanks.

edit: * sorry i should have said crack me.

Last edited by emetib; 08-22-2004 at 12:59 PM.
 
Old 08-22-2004, 02:48 PM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
I wouldn't be concerned about foreign IPs trying to get root on a public machine without evidence that the login was successful. If you run a public machine inevitably somebody will probe it to see if it's a soft target. If a packet sniffer is actually being run without your knowledge, then that might be evidence.

VMWare also sets the Ethernet interface to promiscious in some cases. Otherwise it's done by either a packet sniffer or configuring the interface directly, I think. If you have any doubt that a publically-accessible box is no longer safe, then unfortunately you have to assume that it isn't.

Try posting to the Security forum or a more specialised site for some expert advice, and please don't hesitate to disconnect the box.

Packet sniffers are particularly bad news - any data that wasn't passed in encrypted form has potentially been taken. For safety any passwords that have gone over the network to any destination (including remote Websites) would need to changed.

Last edited by hob; 08-22-2004 at 02:49 PM.
 
Old 08-22-2004, 05:44 PM   #3
emetib
Member
 
Registered: Feb 2003
Posts: 482

Original Poster
Rep: Reputation: 33
thanks.

your thought on vmware, makes me think that my vnc is probably what is doing it. nothing was excepted on the attempts, so i'm not really worried in the sence to unplug, but it was just annoying to see the root attempts along with about 5 other common names.

no passwords are sent plaintext. only through ssh tunnels.

i did run an nmap with a couple of differing options to see some things. it says 'good luck!' on the security option. so i would think that it's ok.

thanks for your reply.
cheers.
 
Old 08-23-2004, 05:51 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You should absolutely be concerned if you're seeing that message and aren't running any apps that might use promiscuous mode. Something like tcpdump or Snort will nomally run in promiscuous mode and would generate that message. Take a look at the list of currently running process and see if you see anything that might be a)causing a false alarm or b)looks abnormal. You might want to download and run a scan with chkrootkit or rootkit hunter as well. I don't believe VNC would generate such a message; it should just run as a standard daemon listening on tcp port.
 
Old 08-23-2004, 07:10 AM   #5
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
I don't think that VNC would set promiscious mode either. VMWare does clever stuff to set up networking between the virtual machines and the host machine, but regular apps and services don't change the interface mode.
 
Old 08-23-2004, 07:06 PM   #6
emetib
Member
 
Registered: Feb 2003
Posts: 482

Original Poster
Rep: Reputation: 33
capt
did the chkrootkit, says that nothing is deleted, yet this is only the first time that i have ran it. don't know if that makes a difference of not though.

i took a look at ps ax
that only things that i can see that might be keeping me promiscuous are-
prelude, snort variant
portmap, and
squid.

from what i have read, i would think out of those that it's squid. i'm probably wrong though. i get the security checks sent to me each day, this was the first time that i looked thoroughly at it. i just looked at it again today, and the world writable files that i found, i changed yesterday, yet they are still coming up once more. so i'm not sure what's up. i did a diff on them and they are different. yet it doesn't make sense that some of the files that are showing up are ones that i know have been altered since install, but haven't in a month.

????
 
Old 08-23-2004, 10:54 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Snort will put the interface in promiscuous mode. I don't know what you mean by Snort variant, but I'm assuming it runs in a similar manner to Snort. Squid shouldn't listen in promiscuos mode.

With regards to the chkrootkit output, what was the ouptut from the "checking sniffer" test? You can just do this if you are unsure: ./chkrootkit -q sniffer

Could you also post the output of: ip link show eth0
 
Old 08-24-2004, 04:18 PM   #8
emetib
Member
 
Registered: Feb 2003
Posts: 482

Original Poster
Rep: Reputation: 33
nothing for the chkrootkit
and the other does show promisc.

[root@cerberus chad]# chkrootkit -q sniffer
[root@cerberus chad]# ip link show eth0
2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:50:a8:3d brd ff:ff:ff:ff:ff:ff

http://www.prelude-ids.org/

how do i get rid of the promisc? and then is it bad? i'll do some reading on it if i can find anything.

thanks.
 
Old 08-24-2004, 07:45 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Ok, Prelude includes a packet sniffer for detecting malicious traffic. In order to sniff traffic, prelude and similar apps like snort, put the interface in promiscuous mode. So seeing the "eth0 is in promiscuous mode" message is to be expected and isn't "bad" by any means (it's just a normal part of how those apps work). You can test this quite easily by stopping prelude and any of it's processes and then re-running the 'ip link show eth0' command again. You should see the PROMISC flag dissappear.
 
Old 08-26-2004, 06:51 PM   #10
emetib
Member
 
Registered: Feb 2003
Posts: 482

Original Poster
Rep: Reputation: 33
ok, i'll give it a shot and play around some with it.

thanks for the advice, i appreciate it.
cheers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
eth0 entering promiscuous mode redhax8 Debian 4 10-18-2004 12:38 AM
Eth0 : Promiscuous mode enabled singhrishi Linux - Hardware 1 10-10-2003 01:24 PM
Eth0 : Promiscuous mode enabled singhrishi Linux - Networking 0 10-10-2003 07:10 AM
Eth0 : Promiscuous mode enabled singhrishi Linux - Software 0 10-10-2003 04:23 AM
eth0 promiscuous mode susx Linux - Networking 11 09-22-2001 12:39 AM


All times are GMT -5. The time now is 01:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration