Hi List, I started a tcpdump session and ran the ifconfig command to see if it returns the string "PROMISC" in the command's output. There's nothing there showing me this mode of operation. I know that tcpdump puts the interface to promiscuos mode (by default) and I am almost sure that the tcpdump was not hacked (this is a very fresh installation). Is there a problem with ifconfig from the SuSE distro ? Which are the other ways ? I will be glad for any kind of information Oswaldo Castro
Hi Oswaldo, Oswaldo Castro wrote:
Hi List,
I started a tcpdump session and ran the ifconfig command to see if it returns the string "PROMISC" in the command's output. There's nothing there showing me this mode of operation. I know that tcpdump puts the interface to promiscuos mode (by default) and I am almost sure that the tcpdump was not hacked (this is a very fresh installation). Is there a problem with ifconfig from the SuSE distro ? Which are the other ways ?
# ip addr show dev eth0 # dmesg # tail -f /var/log/messages The first command will show you the status of the interface: 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:00:e8:7d:7e:ee brd ff:ff:ff:ff:ff:ff inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0 The other two will show you the entries in /var/log/messages: Apr 7 13:12:46 mentor kernel: eth0: Promiscuous mode enabled. Apr 7 13:12:46 mentor kernel: device eth0 entered promiscuous mode rgrds, -- Bráulio Weimann Gergull GetNet Comunicações http://www.getnet.com.br/ http://www.suse-brasil.com.br/
* Bráulio Weimann Gergull (gergull@getnet.com.br) [020407 09:17]:
I started a tcpdump session and ran the ifconfig command to see if it returns the string "PROMISC" in the command's output. There's nothing there showing me this mode of operation.
This has been broken in ifconfig for a while due to an api change in the kernel. '/usr/sbin/ip link' gives the correct information. -- -ckm
On Sun, Apr 07, 2002 at 11:54:19AM -0700, Christopher Mahmood beat on the keyboard:
* Bráulio Weimann Gergull (gergull@getnet.com.br) [020407 09:17]:
I started a tcpdump session and ran the ifconfig command to see if it returns the string "PROMISC" in the command's output. There's nothing there showing me this mode of operation.
This has been broken in ifconfig for a while due to an api change in the kernel. '/usr/sbin/ip link' gives the correct information.
--
-ckm
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here Well this is some great information. I have been trying to see this output too. If this is broke, doesn't that make things a little hard for tracking down script kiddies. I have been doing some work for a company, who has had two Redhat boxes (trying to convince them to switch to SuSE) compromised. I have been checking my box out, and am running snort, so I know it is in promisc, but ifconfig wouldn't show it. I have run chkrootkit, and that says it is not promisc, yet it is running in promisc. I don't like this. What other ways can I be sure that my box has not been compromised? I have run adorefind, negative, chkrootkit, all negative. Are there any other auditing tools to check with? I have run rpm -Va. My system is completely up to date with security patches. Thanks. -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "unix soit qui mal y pense."
* Robert Sweet (rsweet@garagenetworks.net) [020410 09:46]:
Well this is some great information. I have been trying to see this output too. If this is broke, doesn't that make things a little hard for tracking down script kiddies. I have been doing some work for a company, who has had two Redhat boxes (trying to convince them to switch to SuSE) compromised. I have been checking my box out, and am running snort, so I know it is in promisc, but ifconfig wouldn't show it. I have run chkrootkit, and that says it is not promisc, yet it is running in promisc. I don't like this.
It is annoying. One solution is to stop using ifconfig and route and use ip instead. SuSE 8.0 does this.
What other ways can I be sure that my box has not been compromised? I have run adorefind, negative, chkrootkit, all negative.
Unless you have something like a tripwire database that was created before the machine was ever on the network that's probably impossible. If the machine really has been compromised there's no reason to expect all of these tools to work properly. -- -ckm
On Wed, Apr 10, 2002 at 01:25:05PM -0700, Christopher Mahmood beat on the keyboard:
* Robert Sweet (rsweet@garagenetworks.net) [020410 09:46]:
Well this is some great information. I have been trying to see this output too. If this is broke, doesn't that make things a little hard for tracking down script kiddies. I have been doing some work for a company, who has had two Redhat boxes (trying to convince them to switch to SuSE) compromised. I have been checking my box out, and am running snort, so I know it is in promisc, but ifconfig wouldn't show it. I have run chkrootkit, and that says it is not promisc, yet it is running in promisc. I don't like this.
It is annoying. One solution is to stop using ifconfig and route and use ip instead. SuSE 8.0 does this.
What other ways can I be sure that my box has not been compromised? I have run adorefind, negative, chkrootkit, all negative.
Unless you have something like a tripwire database that was created before the machine was ever on the network that's probably impossible. If the machine really has been compromised there's no reason to expect all of these tools to work properly.
--
-ckm
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here Yes I am positive that these Redhat boxes have been compromised. I have already recommended to them they need to be reformatted and re-installed. Just wish they would use SuSE. I am using ip now. It is hard to break old habits. -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "unix soit qui mal y pense."
participants (4)
-
Bráulio Weimann Gergull -
Christopher Mahmood -
Oswaldo Castro -
Robert Sweet