On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
>
> >Hi, Are you sure that this machine wasn't compromised ???
>
> this line made me wonder about what the correct output of ifconfig should
> be. I assume that if I am not listening on the port, the PROMISC entry
> should not be reported in ifconfig. I should only see PROMISC if I am
> running tcpdump, ethereal or some other program that listens on the
> ethernet port.
There's no reason for an interface to be in PROMISC mode by default. Responsible
sniffers should do the equivalent of `ifconfig ethX -promisc` upon being
shut down/killed. Unfortunately, I've dealt w/ programs (ntop comes to mind)
that neglected to do this.
>
> On eth0, I see PROMISC all the time. On eth1 & eth2, I only see it when I
> am running tcpdump. I have ipchains denying all traffic on the link that
> is directly connected to the net. This is run before the interfaces are
> configured. Despite ipchains, all services (telnet, ftp, apache etc) are
> turned off coz I don't use them. I run apt-get update/upgrade daily to
> keep up with security updates from security.debian.org. The kernel is 2.2.17
>
eth[12] sound correct..
> Is there any reason for eth0 to be showing PROMISC all the time or is this
> a sign that the system has some how been compromised and someone/something
> is capturing all internet traffic? Everything looks fine on the
> system. Hopefully I am being unnecessarily paranoid.
>
Check your init scripts; there may be something in there that turns PROMISC on,
that you (or a script) may have put in there by accident. The fact that you
can actually see that eth0 is in PROMISC mode implies that the possible
intruder didn't bother covering his/her tracks; thus, finding other details
of a break-in wouldn't be too hard.
> jmb
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
--
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
-- found in the .sig of Rob Riggs, [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
