Re: [suse-security] strange kernel message.
This is not a good thing, Mirek. Someone or some program setup your network card so that it can now be sniffed. ALL non-encrypted information passing through your card, including passwords are now able to be read by a third-party. I hear a reboot can set it back to be non-promiscuous..but if you have been exploited, rebooting can do more harm than good. Check the integrity of your login binary..and other items. Its quite possible you have been exploited by a script kiddie. They may have even installed a "root kit". Here is the readme for Linux RootKit 3. UPDATES 3.0 Everything updated with lastest sources for 2.X kernel. Added shadow support. Added trojan tcp wrappers. Removed sniffit and lled. Improved lots of stuff. This packages includes the following: chfn Trojaned! User->r00t chsh Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs linsniffer Packet sniffer! fix File fixer! z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor! lled lastlog editor! bindshell port/shell type daemon! tcpd Trojaned! Hide connections, avoid denies INSTALLATION To install this kit in its standard form execute 'make all install'. To install the shadow kit execute 'make shadow install'. All of the files/password configuration is in rootkit.h so feel free to personalise your own version of lrk3 :-) This kit is for linux 2.X kernels ONLY so don't complain when nothing works on old systems. USAGE OK I will go thru how to use each program one by one. NOTE when I say password I mean the rootkit password not your users password (doh!). By default the rootkit password is lrkr0x. chfn - Local user->root. Run chfn then when it asks you for a new name enter your password. chsh - Local user->root. Run chsh when it asks you for a new shell enter your password. inetd - Don't even *think* about asking ;-) It ain't that hard.. login - Allows login to any account with the rootkit password. If root login is refused on your terminal login as "rewt". Disables history logging when backdoor is used. ls - Trojaned to hide specified files and dirs. The data file is ROOTKIT_FILES_FILE, defaults to /dev/ptyr. All files can be listed with 'ls -/' if SHOWFLAG is enabled. (see rootkit.h) The format of /dev/ptyr is: ptyr hack.dir w4r3z ie. just the filenames. This would hide any files/dirs with the names ptyr, hack.dir and w4r3z. du - Same as ls, 'cept for du instead :) ifconfig - Modified to remove PROMISC flag when sniffing. netstat - Modified to remove tcp/udp/sockets from or to specified addresses, uids and ports. The file is ROOTKIT_ADDRESS_FILE. default data file: /dev/ptyq type 0: hide uid type 1: hide local address type 2: hide remote address type 3: hide local port type 4: hide remote port type 5: hide UNIX socket path example: 0 500 <- Hides all connections by uid 500 1 128.31 <- Hides all local connections from 128.31.X.X 2 128.31.39.20 <- Hides all remote connections to 128.31.39.20 3 8000 <- Hides all local connections from port 8000 4 6667 <- Hides all remote connections to port 6667 5 .term/socket <- Hides all UNIX sockets including the path .term/socket passwd - Local user->root. Enter your rootkit password instead of your old password. ps - Modified to remove specified processes. The file used is ROOTKIT_PROCESS_FILE, default to /dev/ptyp. An example data file is as follows: 0 0 Strips all processes running under root 1 p0 Strips tty p0 2 sniffer Strips all programs with the name sniffer 3 hack Strips all programs with 'hack' in them ie. proghack1, hack.scan, snhack etc. Don't put in the comments, obviously. Note: if this doesn't seem to work make sure there are no spaces after the names, and don't use the full path name. top - Identical to ps, 'cept for top instead. rshd - Execute remote commands as root. Usage: rsh -l rootkitpassword host command ie. rsh -l lrkr0x cert.org /bin/sh -i would start a root shell. syslogd - Modified to remove specified strings from logging. The data file is ROOTKIT_LOG_FILE, this defaults to /dev/ptys. Example data file: evil.com 123.100.101.202 rshd This would remove all logs containing the strings evil.com, 123.100.101.202 and rshd. tcpd - Modified to allow access from your host without any logging. Any type 1 record in the ROOTKIT_ADDRESS_FILE is used for tcpd. See netstat for more infoz on this file. Example data file: 1 123.4.5.6 would set up the tcp wrappers to allow and hide connects from 123.4.5.6. linsniffer - A kewl packet sniffer. U might like to check out another sniffer for linux if this doesn't suit ya needs. (ie. sniffit, pcs, snoofer, whatver). I removed sniffit for space reasons, if you want it the latest version can be found at http://reptile.rug.ac.be/~coder/sniffit/sniffit.html fix - Replaces and fixes timestamp/checksum infomation on files. New lrk3 version :-) z2 - Zapper2! Run this to erase the last utmp/wtmp/lastlog entries for a username. This can be detected since it just nulls the entry out. wted - This does lots of stuff. U can view ALL the entries in a wtmp or utmp type file, erase entries by username or hostname, view zapped users (admins use a util similar to this to find erased entries), erase zapped users etc. .......Other useless info deleted....... A good idea is to take that box off the network if possible..until it has been restored. Hope this helps, Chrissy At 12:30 PM 12/13/1999 +0100, you wrote:
Hello Everybody ,
Has anyone an idea what this message means? "kernel: eth0: Setting promiscuous mode. "
in the same time the kernel routing table of this machine had an strange entry to a host of our provider but this host was not in the local intranet. thank you in advance. Mirek
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Am Mon, 13 Dez 1999 schrieben Sie:
This is not a good thing, Mirek. Someone or some program setup your network card so that it can now be sniffed. ALL non-encrypted information passing through your card, including passwords are now able to be read by a third-party. I hear a reboot can set it back to be non-promiscuous..but if you have been exploited, rebooting can do more harm than good. Check the integrity of your login binary..and other items. Its quite possible you have been exploited by a script kiddie. They may have even installed a "root kit". Here is the readme for Linux RootKit 3.
Promiscous mode does not mean the card can be sniffed, but that it IS sniffing... it is pretty obvious that you box has been cracked. I hope you set up tripwire before you connected the box to the net, else you probably should do a whole new setup; as Chrissy LeMaire showed, there are quite a lot trojans around:( -- #!/usr/bin/perl # Maximillian Jahn # h9302299@falbala.wu-wien.ac.at
First of all thank you all for the prompt answer. Can't this mean something else? recently i was playing around with tcpdump can't this be the reason? Mirek On Mon, 13 Dec 1999, Maximillian Jahn wrote:
Date: Mon, 13 Dec 1999 13:02:24 +0100 From: Maximillian Jahn
To: suse-security@suse.com Cc: Mirek Szymczak Subject: Re: [suse-security] strange kernel message. Am Mon, 13 Dez 1999 schrieben Sie:
This is not a good thing, Mirek. Someone or some program setup your network card so that it can now be sniffed. ALL non-encrypted information passing through your card, including passwords are now able to be read by a third-party. I hear a reboot can set it back to be non-promiscuous..but if you have been exploited, rebooting can do more harm than good. Check the integrity of your login binary..and other items. Its quite possible you have been exploited by a script kiddie. They may have even installed a "root kit". Here is the readme for Linux RootKit 3.
Promiscous mode does not mean the card can be sniffed, but that it IS sniffing... it is pretty obvious that you box has been cracked. I hope you set up tripwire before you connected the box to the net, else you probably should do a whole new setup; as Chrissy LeMaire showed, there are quite a lot trojans around:(
-- #!/usr/bin/perl # Maximillian Jahn # h9302299@falbala.wu-wien.ac.at
Hi, Mirek Szymczak wrote:
First of all thank you all for the prompt answer. Can't this mean something else? recently i was playing around with tcpdump can't this be the reason? Mirek
yes it can be the reason, tcpdump normally (without option -p) sets the interface to promiscious mode to be able to receive all frames on the link (not only frames with the host's destination address). Ciao, Robert
On Mon, 13 Dec 1999, Mirek Szymczak wrote:
First of all thank you all for the prompt answer. Can't this mean something else? recently i was playing around with tcpdump can't this be the reason? Mirek
This could quite easily be the reason, since most programs of that nature (iptraf and argus being two others) can monitor traffic in promiscious or non-promiscious modes. I'm not sure about tcpdump, but I know positively that the SuSE 6.1 rpm of argus defaults to promiscious; could be that other like tcpdump do as well. dan
On Mon, 13 Dec 1999, you wrote:
First of all thank you all for the prompt answer. Can't this mean something else? recently i was playing around with tcpdump can't this be the reason?
I think that's the reason yes. tcpdump puts your NIC into promiscous mode.
'tis a great tool to sniff your network when something unusual happens. I use
it all the time when something is clogging up my network. (Usually some puppy
who just found papasmurf.c).
--
"Rune Kristian Viken"
participants (6)
-
Chrissy LeMaire
-
Daniel L. Donahue
-
Maximillian Jahn
-
Mirek Szymczak
-
Robert Hoffmann
-
Rune Kristian Viken