RE: just running tcpdump makes promisc mode?

From: Skander Ben Mansour (securityfocus_at_benmansour.net)
Date: 06/24/04

  • Next message: Manuel Arostegui: "Re: Counting p2p traffic."
    To: "'Monty Ree'" <chulmin2@hotmail.com>, <focus-linux@securityfocus.com>
    Date: Thu, 24 Jun 2004 18:47:20 +0200
    
    

    Hi Monty,

    This might be a sign that your system has been compromised and a
    rootkit installed.

    Some rootkits contain sniffers that set the network interface card into
    promiscuous mode. The objective is to capture passwords or other
    interesting traffic on the network of the compromised host.

    How is that relevant to your situation?

    In order not to be detected, the rootkit subverts the output of
    ifconfig not to show the PROMISC flag on the sniffing interface.
    (The rootkit actually replaces the ifconfig program by a trojan, along
    with many many other common system programs like ps, ls, top,...)

    This sometimes results in ifconfig not displaying the promiscuous state
    of an interface that was legitimately set in promiscuous mode by the
    administrator (e.g. when running tcpdump or snort).

    An example of such rootkit is the T0rn rootkit described on the website
    below:
    http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html

    Good luck in your investigations.

    Best Regards,

    Skander Ben Mansour, CISSP

    -----Original Message-----
    From: Monty Ree [mailto:chulmin2@hotmail.com]
    Sent: Wednesday, June 23, 2004 9:21 AM
    To: focus-linux@securityfocus.com
    Subject: just running tcpdump makes promisc mode?

    Hello, all.

    I have operated redhat linux 7.x whcih kernel is 2.4.26.
    When I run tcpdump or snort, the dmesg is seen like below.

    "device eth0 entered promiscuous mode"

    and when I stop tcpdump or snort, the dmesg is seen like below.

    "device eth0 left promiscuous mode"

    But I can't find PROMISC message when I execute ifconfig while tcpdump
    or
    snort.

    Why the result of the dmesg and ifconfig is different?

    Thanks in advance.

    _________________________________________________________________
    MSN Messenger를 통해 온라인상에 있는 친구와 대화를 나누세요.
    http://messenger.msn.co.kr


  • Next message: Manuel Arostegui: "Re: Counting p2p traffic."