|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: just running tcpdump makes promisc mode?
From: Ranjeet Shetye (ranjeet.shetye2
zultys.com)
Date: Tue Jun 29 2004 - 20:49:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Since I didn't see a solution mentioned, here goes:
try chkrootkit http://www.chkrootkit.org/
Its at version 0.43 currently. It will check your computer for a rootkit
and is pretty useful.
Also, might be a good idea to run clamav - then rebuild the machine. you
cannot trust ANY binary on a rooted machine.
* Marco Monicelli (marco.monicellimarcegaglia.com) wrote:
>
>
>
>
> Very right indeed.
>
> Just two words to say that modern rootkit (pardon me my friend but Tornkit
> is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc
> which have the same dimension of the original binaries and are normally
> based on a master-slave technique which strongly needs ifconfig not to show
> the promisc mode set by the admin.
>
> At this regard, I will suggest you to google and search for Superkit or
> Suckit (the first one coming up on the l33t scene) which are also open
> source rootkits!!
>
> Anyway....Skander's reflections are very right and I congratulate with him
> for his good analysis.
>
> Good work guys!
>
> Ciao
>
> Marco Monicelli
> MARCEGAGLIA SPA
> Sales Department - Automotive
> Tel. +39 0376 685369
> Fax. +39 0376 685625
> mail: marco.monicellimarcegaglia.com
>
>
>
>
> "Skander Ben
> Mansour" To: "'Monty Ree'" <chulmin2hotmail.com>, <focus-linuxsecurityfocus.com>
> <securityfocusbenm cc:
> ansour.net> Subject: RE: just running tcpdump makes promisc mode?
>
> 24/06/2004 18.47
>
>
>
>
>
> Hi Monty,
>
> This might be a sign that your system has been compromised and a
> rootkit installed.
>
> Some rootkits contain sniffers that set the network interface card into
> promiscuous mode. The objective is to capture passwords or other
> interesting traffic on the network of the compromised host.
>
> How is that relevant to your situation?
>
> In order not to be detected, the rootkit subverts the output of
> ifconfig not to show the PROMISC flag on the sniffing interface.
> (The rootkit actually replaces the ifconfig program by a trojan, along
> with many many other common system programs like ps, ls, top,...)
>
> This sometimes results in ifconfig not displaying the promiscuous state
> of an interface that was legitimately set in promiscuous mode by the
> administrator (e.g. when running tcpdump or snort).
>
> An example of such rootkit is the T0rn rootkit described on the website
> below:
> http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html
>
> Good luck in your investigations.
>
> Best Regards,
>
> Skander Ben Mansour, CISSP
>
>
> -----Original Message-----
> From: Monty Ree [mailto:chulmin2hotmail.com]
> Sent: Wednesday, June 23, 2004 9:21 AM
> To: focus-linuxsecurityfocus.com
> Subject: just running tcpdump makes promisc mode?
>
>
> Hello, all.
>
> I have operated redhat linux 7.x whcih kernel is 2.4.26.
> When I run tcpdump or snort, the dmesg is seen like below.
>
> "device eth0 entered promiscuous mode"
>
> and when I stop tcpdump or snort, the dmesg is seen like below.
>
> "device eth0 left promiscuous mode"
>
> But I can't find PROMISC message when I execute ifconfig while tcpdump
> or
> snort.
>
> Why the result of the dmesg and ifconfig is different?
>
>
>
> Thanks in advance.
>
> _________________________________________________________________
> MSN Messenger?8& ?EkGX ??B6sN;s?! ?V4B ?D#18?M ?4kH-8& ?3*4)<<?d.
> http://messenger.msn.co.kr
>
>
>
--
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]