LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-28-2003, 08:53 AM   #1
jstu
Member
 
Registered: Jan 2002
Distribution: slackware
Posts: 193

Rep: Reputation: 30
Nic question


I found this in /var/log/messages it looks to me like my NIC went down for a little bit. Everything seems to be working fine. I was just wondering if anyone has seen this before and if it is something I should be concerned with?

Feb 27 07:12:03 RServer kernel: e1000: eth0 NIC Link is Down
Feb 27 07:12:12 RServer kernel: e1000: eth0 NIC Link is Up 100 Mbps Full Duplex
Feb 27 07:12:19 RServer kernel: e1000: eth0 NIC Link is Down
Feb 27 07:12:26 RServer kernel: e1000: eth0 NIC Link is Up 100 Mbps Full Duplex

Thanks
 
Old 02-28-2003, 10:51 AM   #2
SlickWilly
Member
 
Registered: Dec 2002
Posts: 327

Rep: Reputation: 30
Your worriedness should be directly related to the position of this box.

Is it connected to the net? Is it firewalled, is it a home machine or a corporate machine... and so on.

You should *not* be seeing this sortof thing unless you're expecting it. Say, for instance, you were connected via cable modem and your cable modem went out - you would get assigned a new ip (possibly), and your nic might report a link loss, but you would *NOT* see your network card go down.

Likewise, if this was a power loss and your machine rebooted unexpected you'd see a whole lot more messages around it than you have.

If it's a corporate environment does anyone else have access to this box? If not, then you can assume that someone else *does* have access to this box.

Looking at the timings there on your messages, this is not a short spiky interupt. Someone has downed your interface... done something, then up'd it. Downed it again (one assumes done something else) and up'd it again.

I would be suspicious. Even though everything's 'working alright' you may well have a compromise here, and someone has replaced, say your netstat, ifconfig, (ps, login, and a whole heap of other) programs with trojan'd versions.

If I were you I'd look around for any other messages in your logs around that time, and also download a root-kit checker :

http://freshmeat.net/projects/chkrootkit/?topic_id=43

G'luck..
Slick.


I would
 
Old 02-28-2003, 12:24 PM   #3
jstu
Member
 
Registered: Jan 2002
Distribution: slackware
Posts: 193

Original Poster
Rep: Reputation: 30
Thanks for your reply,
I have the machine on an internal network with a firewall between it and the internet and also pretty strict firewall running on the box. I guess my question now is that if the machine has comprimised it. It would have to be from a remote user and how would they take eth0 down and then be a able to bring it up 9 seconds later. They would lock themselves out of the machine. Would'nt they?
 
Old 02-28-2003, 12:49 PM   #4
SlickWilly
Member
 
Registered: Dec 2002
Posts: 327

Rep: Reputation: 30
Indeed.. one would imagine so.

However, it's fairly trivial to write something, stick it in a cron job, for instance and have *your machine* bring the interface up and down.

Simply typing 'ifdown eth0' would sever a connection, but if I were prepping a box as a zombie I'm sure I'd figure out a way around it... (see above as one option off the top of my head.)

Did you try the root-kit thing above?

Slick.
 
Old 02-28-2003, 01:25 PM   #5
jstu
Member
 
Registered: Jan 2002
Distribution: slackware
Posts: 193

Original Poster
Rep: Reputation: 30
Ya, I did try the root kit the only thing suspicios it came up with was a hidden file named .packlist that is under the /usr/lib/perl5 directory but it looks like it just contains text about the installed perl packages. I've done a hidden file search. Nothing unusual. and I checked wtmp and no one was recorded logging in around that time. I don't know. I could maybe reinstall the net-tools package. Just in case they are trojaned like you said
 
Old 02-28-2003, 02:10 PM   #6
SlickWilly
Member
 
Registered: Dec 2002
Posts: 327

Rep: Reputation: 30
In the end only you can decide. It *might* have been someone on the console - I don't know, and only you do

There's quite a bit more than net-tools which can be compromised though.

Fairly recently I had the unpleasant task of discovering a box that had been compromised by an openshh vunerability. Fortunately the skript-kiddie involved had left a trail a mile wide through the system, and had installed the subseven trojan.

Among the list of commands compromised were :

ps
ls
netstat
ifconfig
login

and some others. You can simply read down the list of the chkrootkit output to see what they're looking for. .packlist is a valid perl file and if your test reveals nothing untoward then you can figure youtself fairly safe...

However, I personally would keep an eye on that box, but that's me..

Slick.
 
Old 02-28-2003, 02:25 PM   #7
jstu
Member
 
Registered: Jan 2002
Distribution: slackware
Posts: 193

Original Poster
Rep: Reputation: 30
Cool I will. Thanks for your help
 
Old 02-02-2004, 12:28 AM   #8
kensin
LQ Newbie
 
Registered: Feb 2004
Posts: 2

Rep: Reputation: 0
Dear jstu, I have meet the same problem. my NIC down and up every several seconds.

This is a WEB Server, and the OS is RH8.0, the machine worked well for 1 year,but about one week ago,it began in trouble.

Dear jstu, how do u resolve this problem? Please help me.
any advise is appreciatable.
 
Old 02-02-2004, 12:34 AM   #9
snacky
Member
 
Registered: Feb 2004
Distribution: Debian
Posts: 286

Rep: Reputation: 30
There are two things that come to mind - one, if the jacks lose contact on either end of the ethernet connection, this message will be printed.

Two - this might sound stupid, but it's not uncommon for init scripts to bring the if down after it comes up - did those events occur near a reboot or at least a runlevel change?

I strongly doubt anyone is maliciously using ifup and ifdown. The most likely explanation is that it's losing the carrier signal. I dunno, maybe there's a big powerful fridge switching on and off next to the cables...
 
Old 02-02-2004, 12:58 PM   #10
jstu
Member
 
Registered: Jan 2002
Distribution: slackware
Posts: 193

Original Poster
Rep: Reputation: 30
I wish I had an answer for you it just stopped happening.
 
Old 02-03-2004, 02:36 AM   #11
kensin
LQ Newbie
 
Registered: Feb 2004
Posts: 2

Rep: Reputation: 0
thanks to snacky and jstu


i doubt my nic has trouble which make it can not connect the swicth properly.
i try to change a new nic.

Last edited by kensin; 02-03-2004 at 10:12 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NIC question sparky853 DamnSmallLinux 4 02-17-2004 07:35 PM
NIC question Ryan_Sutton Linux - Hardware 4 06-05-2002 05:07 AM
Simple NIC question Ryan_Sutton Linux - Newbie 4 06-04-2002 05:51 PM
Nic Question! rootlinux Linux - Networking 5 04-01-2002 01:46 PM
question about NIC.... eddielins Linux - General 0 04-01-2001 11:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration