Re: Promiscuous mode (was Re: ifconfig doesn't report Promiscuous interfaces)

To: JonesMB <jonesmb@arthem.com>
Cc: debian-security@lists.debian.org
Subject: Re: Promiscuous mode (was Re: ifconfig doesn't report Promiscuous interfaces)
From: Andres Salomon <dilinger@mp3revolution.net>
Date: Fri, 16 Mar 2001 23:41:44 -0500
Message-id: <[🔎] 20010316234144.A20675@mp3revolution.net>
In-reply-to: <[🔎] 4.3.2.7.1.20010316220256.00c87720@arthem.com>; from jonesmb@arthem.com on Fri, Mar 16, 2001 at 10:27:23PM -0600
References: <[🔎] 15026.50750.958632.234323@viper.earth> <[🔎] 15026.48807.605690.280609@viper.earth> <[🔎] 20010317014434.23295.qmail@web13201.mail.yahoo.com> <[🔎] 15026.50750.958632.234323@viper.earth> <[🔎] 20010316223744.A20474@mp3revolution.net> <[🔎] 4.3.2.7.1.20010316220256.00c87720@arthem.com>

On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
> 
> >Hi, Are you sure that this machine wasn't compromised ???
> 
> this line made me wonder about what the correct output of ifconfig should 
> be.  I assume that if I am not listening on the port, the PROMISC entry 
> should not be reported in ifconfig.  I should only see PROMISC if I am 
> running tcpdump, ethereal or some other program that listens on the 
> ethernet port.

There's no reason for an interface to be in PROMISC mode by default.  Responsible
sniffers should do the equivalent of `ifconfig ethX -promisc` upon being
shut down/killed.  Unfortunately, I've dealt w/ programs (ntop comes to mind)
that neglected to do this.

> 
> On eth0, I see PROMISC all the time.  On eth1 & eth2, I only see it when I 
> am running tcpdump.  I have ipchains denying all traffic on the link that 
> is directly connected to the net.  This is run before the interfaces are 
> configured.  Despite ipchains, all services (telnet, ftp, apache etc) are 
> turned off coz I don't use them.  I run apt-get update/upgrade daily to 
> keep up with security updates from security.debian.org.  The kernel is 2.2.17
> 

eth[12] sound correct..

> Is there any reason for eth0 to be showing PROMISC all the time or is this 
> a sign that the system has some how been compromised and someone/something 
> is capturing all internet traffic?  Everything looks fine on the 
> system.  Hopefully I am being unnecessarily paranoid.
> 

Check your init scripts; there may be something in there that turns PROMISC on,
that you (or a script) may have put in there by accident.  The fact that you
can actually see that eth0 is  in PROMISC mode implies that the possible
intruder didn't bother covering his/her tracks; thus, finding other details
of a break-in wouldn't be too hard.

> jmb 
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
        -- found in the .sig of Rob Riggs, rriggs@tesser.com

Reply to:

References:
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: S.Salman Ahmed <ssahmed@pathcom.com>
- ifconfig doesn't report Promiscuous interfaces
  - From: S.Salman Ahmed <ssahmed@pathcom.com>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: Marlon Jabbur <marlonsj@yahoo.com.br>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: Andres Salomon <dilinger@mp3revolution.net>
- Promiscuous mode (was Re: ifconfig doesn't report Promiscuous interfaces)
  - From: JonesMB <jonesmb@arthem.com>

Prev by Date: Re: Promiscuous mode (was Re: ifconfig doesn't report Promiscuous interfaces)
Next by Date: Re: ifconfig doesn't report Promiscuous interfaces
Previous by thread: Re: Promiscuous mode (was Re: ifconfig doesn't report Promiscuous interfaces)
Next by thread: Re: ifconfig doesn't report Promiscuous interfaces
Index(es):
- Date
- Thread