RE: just running tcpdump makes promisc mode?

From: Skander Ben Mansour (securityfocus_at_benmansour.net)
Date: 06/24/04

  • Next message: Manuel Arostegui: "Re: Counting p2p traffic." 
    To: "'Monty Ree'" <chulmin2@hotmail.com>, <focus-linux@securityfocus.com>
Date: Thu, 24 Jun 2004 18:47:20 +0200

    Hi Monty,

    This might be a sign that your system has been compromised and a
    rootkit installed.

    Some rootkits contain sniffers that set the network interface card into
    promiscuous mode. The objective is to capture passwords or other
    interesting traffic on the network of the compromised host.

    How is that relevant to your situation?

    In order not to be detected, the rootkit subverts the output of
    ifconfig not to show the PROMISC flag on the sniffing interface.
    (The rootkit actually replaces the ifconfig program by a trojan, along
    with many many other common system programs like ps, ls, top,...)

    This sometimes results in ifconfig not displaying the promiscuous state
    of an interface that was legitimately set in promiscuous mode by the
    administrator (e.g. when running tcpdump or snort).

    An example of such rootkit is the T0rn rootkit described on the website
    below:
    http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html

    Good luck in your investigations.

    Best Regards,

    Skander Ben Mansour, CISSP

    -----Original Message-----
    From: Monty Ree [mailto:chulmin2@hotmail.com]
    Sent: Wednesday, June 23, 2004 9:21 AM
    To: focus-linux@securityfocus.com
    Subject: just running tcpdump makes promisc mode?

    Hello, all.

    I have operated redhat linux 7.x whcih kernel is 2.4.26.
    When I run tcpdump or snort, the dmesg is seen like below.

    "device eth0 entered promiscuous mode"

    and when I stop tcpdump or snort, the dmesg is seen like below.

    "device eth0 left promiscuous mode"

    But I can't find PROMISC message when I execute ifconfig while tcpdump
    or
    snort.

    Why the result of the dmesg and ifconfig is different?

    Thanks in advance.

    _________________________________________________________________
    MSN Messenger¸¦ ÅëÇØ ¿Â¶óÀÎ»ó¿¡ Àִ ģ±¸¿Í ´ëÈ­¸¦ ³ª´©¼¼¿ä.
    http://messenger.msn.co.kr

  • Next message: Manuel Arostegui: "Re: Counting p2p traffic."

    Relevant Pages

    • RE: just running tcpdump makes promisc mode?
      ... If the machine is fresh install it might be the problem with tcpdump it self. ... I read about something about ifconfig broken in PROMISC department due to some changes in the kernel. ... >a rootkit installed. ...
      (Focus-Linux)
    • Re: chkrootkit help
      ... If you've been nailed by a rootkit, you should not trust netstat, ... ifconfig, ps, etc anymore. ... > xl0 is not promisc ...
      (FreeBSD-Security)
    • RE: just running tcpdump makes promisc mode?
      ... Just two words to say that modern rootkit (pardon me my friend but Tornkit ... is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc ... of an interface that was legitimately set in promiscuous mode by the ... administrator (e.g. when running tcpdump or snort). ...
      (Focus-Linux)
    • Re: just running tcpdump makes promisc mode?
      ... > Just two words to say that modern rootkit (pardon me my friend but Tornkit ... > is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc ... > the promisc mode set by the admin. ... > administrator (e.g. when running tcpdump or snort). ...
      (Focus-Linux)
    • Re: Linux, tcpdump and vlan
      ... the promisc flag in my opinion. ... For example when you run 'ifconfig' during 'tcpdump', the interface does not have the promiscuous flag set!! ... starting tcpdump instance 2 bumps the ref count in packet_mc_add ... Had tcpdump manually set/cleared the promisc flag, the interface would have stayed promisc after tcpdump was killed. ...
      (Linux-Kernel)