RE: just running tcpdump makes promisc mode?

• Previous message: Paul Martin: "RE: Error installing Clamav?"
• In reply to: Skander Ben Mansour: "RE: just running tcpdump makes promisc mode?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Skander Ben Mansour" <securityfocus@benmansour.net>
Date: Tue, 29 Jun 2004 08:41:14 +0200

$)C

Very right indeed.

Just two words to say that modern rootkit (pardon me my friend but Tornkit
is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc
which have the same dimension of the original binaries and are normally
based on a master-slave technique which strongly needs ifconfig not to show
the promisc mode set by the admin.

At this regard, I will suggest you to google and search for Superkit or
Suckit (the first one coming up on the l33t scene) which are also open
source rootkits!!

Anyway....Skander's reflections are very right and I congratulate with him
for his good analysis.

Good work guys!

Ciao

Marco Monicelli
MARCEGAGLIA SPA
Sales Department - Automotive
Tel. +39 0376 685369
Fax. +39 0376 685625
mail: marco.monicelli@marcegaglia.com

                                                                                                                                         
                      "Skander Ben
                      Mansour" To: "'Monty Ree'" <chulmin2@hotmail.com>, <focus-linux@securityfocus.com>
                      <securityfocus@benm cc:
                      ansour.net> Subject: RE: just running tcpdump makes promisc mode?
                                                                                                                                         
                      24/06/2004 18.47
                                                                                                                                         

Hi Monty,

This might be a sign that your system has been compromised and a
rootkit installed.

Some rootkits contain sniffers that set the network interface card into
promiscuous mode. The objective is to capture passwords or other
interesting traffic on the network of the compromised host.

How is that relevant to your situation?

In order not to be detected, the rootkit subverts the output of
ifconfig not to show the PROMISC flag on the sniffing interface.
(The rootkit actually replaces the ifconfig program by a trojan, along
with many many other common system programs like ps, ls, top,...)

This sometimes results in ifconfig not displaying the promiscuous state
of an interface that was legitimately set in promiscuous mode by the
administrator (e.g. when running tcpdump or snort).

An example of such rootkit is the T0rn rootkit described on the website
below:
http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html

Good luck in your investigations.

Best Regards,

Skander Ben Mansour, CISSP

-----Original Message-----
From: Monty Ree [mailto:chulmin2@hotmail.com]
Sent: Wednesday, June 23, 2004 9:21 AM
To: focus-linux@securityfocus.com
Subject: just running tcpdump makes promisc mode?

Hello, all.

I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.

"device eth0 entered promiscuous mode"

and when I stop tcpdump or snort, the dmesg is seen like below.

"device eth0 left promiscuous mode"

But I can't find PROMISC message when I execute ifconfig while tcpdump
or
snort.

Why the result of the dmesg and ifconfig is different?

Thanks in advance.

_________________________________________________________________
MSN Messenger8& EkGX ?B6s@N;s?! @V4B D#18?M 4kH-8& 3*4)<<?d.
http://messenger.msn.co.kr

• Previous message: Paul Martin: "RE: Error installing Clamav?"
• In reply to: Skander Ben Mansour: "RE: just running tcpdump makes promisc mode?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]