kernel: device eth0 entered promiscuous mode
Recently I've started getting a lot of entries in /var/log/messages like this:
Sep 21 16:55:08 jimmy kernel: device eth0 entered promiscuous mode Sep 21 16:55:34 jimmy kernel: device eth0 left promiscuous mode I haven't changed any configuration on the server, but I did recently end up listed on UCEPROTECT with "portscans or hacking attempts were seen against an UCEPROTECT-System." So, it is possible there has been a system breach (which is why I started poking in the logs and saw these promiscuous entries). Can somebody help me understand what the promiscuous mode messages are for and the likelihood they relate to a security breach? TIA, David |
Promiscuous mode is when your ethernet card accepts ALL traffic it receives. It's used when you're running a program like Wireshark to listen to the network (most effective in a hubbed network, or on a mirror port on your switch).
|
Thanks...I'm not running wireshark or similar--haven't added/changed any software for months, but this notice just started showing up in log.
|
Moved: Since the OP asks for "the likelihood they relate to a security breach" this thread has been moved to the Linux Security forum in the hope that this thread/question gets more thorough responses than the first reply (meaning actually addressing looking for signs of a compromise).
|
Quote:
|
System was breached via root access...taking it offline tonight to scrub it, will be moving to new hw and new centos install shortly. Was planning to upgrade anyway, so this seals the deal. There were a bunch of bad decisions relating to security on this system which need to be addressed in new install.
Attackers installed series of perl scripts in /usr/lib/.a dir which do something linked to a server in germany and also something related to phpmyadmin oddly enough. Somehow in all this there is something to do with the promiscuous mode stuff as well but I'm not advanced enough to figure it out yet. |
The probably wanted to see if they could sniff out any unencrpypted information (like passwords) on your lan.
|
Quote:
|
Logwatch (patched : http://www.linuxquestions.org/blog/u...alarky-2308/):
Code:
--------------------- httpd Begin ------------------------ Cron daemon log: Code:
"crontab[nnnnn]: (apache) REPLACE (apache)" Audit.log: Code:
type=ANOM_PROMISCUOUS msg=audit(tttttttttt.ttt:ttttttt): dev=eth0 prom=0 old_prom=256 auid=nnnnnnnnnn" type=ANOM_PROMISCUOUS: eth0 promiscuous mode Code:
type=SYSCALL msg=audit(tttttttttt.ttt:ttttttt): arch=nnnnnnnn syscall=102 success=yes exit=0 a0=e a1=aaaaaaaa a2=2 a3=4 items=0 ppid=nnnnn pid=nnnnn auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ss" exe="/usr/lib/.a/s/ss" key=(null) Code:
type=USER_CHAUTHTOK msg=audit(tttttttttt.ttt:ttttttt): user pid=nnnnn uid=0 auid=0 msg='op=adding user acct=sshd exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/3 res=failed)' While the above logs don't show an exact timeline or complete overview of cracker activity it shows that reading log reports helps you expose crackers. The machine was torn down by the OP. |
Quote:
Following on to this question is the situation with the sshd hack/trojan...it turns out that the sshd was removed/replaced on the system and was logging passwords locally. Again, how does a bot executing as a relatively unprivileged user (with no login, ie. apache/apache) gain enough privilege to zap root privileged items off the system? Can this happen without being root? My understanding is that at some point the process/user would have to obtain root status to achieve this. Just curious...these are both scenarios beyond my understanding of the internals. Call me naive if you will... Beyond a) greater log analysis and b) better php coding (which both require time/money and therefore are competing with other interests), given the current batch of logs don't indicate the exact point of entry or path to root access of the system (I'm assuming that occurred at some point to achieve the sshd replacement), what steps can be taken that will yield a high probability of this specific attack NOT occurring in the future? It would seem to me that even if one were performing the sort of more rigorous log analysis you suggest, it would be possible to see this sort of advanced warning and still not be able to prevent it precisely? |
Quote:
Quote:
Quote:
Basically what we're looking for is hardening the complete LAMP: first the OS, then networking in general, then the application stack. As my time is short (If you look at RKH's rlog you'll see I haven't even been able to work on RKH the past 5 days) I'll add information layer-wise the coming days. Meanwhile you could check out the LQ FAQ: Security references (or better: the cleaned version at http://rkhunter.wiki.sourceforge.net/SECREF). Quote:
|
Quote:
Quote:
|
All times are GMT -5. The time now is 07:47 PM. |