RE: just running tcpdump makes promisc mode?
From: Skander Ben Mansour (securityfocus_at_benmansour.net)
To: "'Monty Ree'" <email@example.com>, <firstname.lastname@example.org> Date: Thu, 24 Jun 2004 18:47:20 +0200
This might be a sign that your system has been compromised and a
Some rootkits contain sniffers that set the network interface card into
promiscuous mode. The objective is to capture passwords or other
interesting traffic on the network of the compromised host.
How is that relevant to your situation?
In order not to be detected, the rootkit subverts the output of
ifconfig not to show the PROMISC flag on the sniffing interface.
(The rootkit actually replaces the ifconfig program by a trojan, along
with many many other common system programs like ps, ls, top,...)
This sometimes results in ifconfig not displaying the promiscuous state
of an interface that was legitimately set in promiscuous mode by the
administrator (e.g. when running tcpdump or snort).
An example of such rootkit is the T0rn rootkit described on the website
Good luck in your investigations.
Skander Ben Mansour, CISSP
From: Monty Ree [mailto:email@example.com]
Sent: Wednesday, June 23, 2004 9:21 AM
Subject: just running tcpdump makes promisc mode?
I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.
"device eth0 entered promiscuous mode"
and when I stop tcpdump or snort, the dmesg is seen like below.
"device eth0 left promiscuous mode"
But I can't find PROMISC message when I execute ifconfig while tcpdump
Why the result of the dmesg and ifconfig is different?
Thanks in advance.
MSN Messenger를 통해 온라인상에 있는 친구와 대화를 나누세요.