Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] promisuous or not?
  • From: "JohnvD" <johnvd@xxxxxxxxx>
  • Date: Thu, 28 Feb 2002 22:23:30 +0100
  • Message-id: <001d01c1c09e$2bb91480$6300a8c0@xxxxxxxxx>
Hi,

I have noticed exactly the same behaviour in chkrootkit.
Running tcpdump while chkrootkit ran it did *not* report promiscuous mode.

Greetz
johnvD.

----- Original Message -----
From: Anders Johansson <andjoh@xxxxxxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Thursday, February 28, 2002 3:37 AM
Subject: [suse-security] promisuous or not?


> I recently did a fresh install of 7.3 on this system and included all
security
> updates from scratch. Today I decided to run chkrootkit and found that it
> reported that eth0 wasn't in promiscuous mode. Since I'm running snort,
and
> see in /var/log/messages lines like "eth0 entered promiscuous mode" I was
a
> bit worried.
>
> I ran tcpdump -i eth0 and did ifconfig and sure enough, PROMISC wasn't
there.
> I reinstalled net-tools.rpm, but still no PROMISC. It's difficult to
believe
> that this is the work of a hacker, since the entries are made into
messages,
> and since the problem was still there after a reinstall of net-tools I
think
> it would have to be a kernel problem and any kernel modification would
surely
> remove log messages as well as proc entries
>
> I've tested it on two separate systems, both running 7.3, one running
k_deflt
> 2.4.16 and one running k_deflt 2.4.17-69 (from mantel)
>
> Is anyone else seeing this?
>
> file://Anders
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>


< Previous Next >
Follow Ups
References