RE: just running tcpdump makes promisc mode?

From: Am (RazhamR_at_regent-college.ac.uk)
Date: 07/01/04

  • Next message: Rodrigo Campos: "Re: just running tcpdump makes promisc mode?"
    Date: Thu, 1 Jul 2004 09:39:56 +0100
    To: "Marco Monicelli" <marco.monicelli@marcegaglia.com>, "Skander Ben Mansour" <securityfocus@benmansour.net>
    
    

    If the machine is fresh install it might be the problem with tcpdump it self. I read about something about ifconfig broken in PROMISC department due to some changes in the kernel.

    Use ip (/usr/sbin/ip) to check your interface status. It should match with the ones in dmesg and /var/log/messages

    Rootkit - possible, but need more test - eg. check binaries md5hash

    Am

    >-----Original Message-----
    >From: Marco Monicelli [mailto:marco.monicelli@marcegaglia.com]
    >Sent: 29 June 2004 07:41
    >To: Skander Ben Mansour
    >Cc: 'Monty Ree'; focus-linux@securityfocus.com
    >Subject: RE: just running tcpdump makes promisc mode?
    >
    >
    >
    >
    >
    >Very right indeed.
    >
    >Just two words to say that modern rootkit (pardon me my friend
    >but Tornkit is pretty old nowadays) now has trojaned binaries
    >like ps, ls, ifconfig etc which have the same dimension of the
    >original binaries and are normally based on a master-slave
    >technique which strongly needs ifconfig not to show the
    >promisc mode set by the admin.
    >
    >At this regard, I will suggest you to google and search for
    >Superkit or Suckit (the first one coming up on the l33t scene)
    >which are also open source rootkits!!
    >
    >Anyway....Skander's reflections are very right and I
    >congratulate with him for his good analysis.
    >
    >Good work guys!
    >
    >Ciao
    >
    >Marco Monicelli
    >MARCEGAGLIA SPA
    >Sales Department - Automotive
    >Tel. +39 0376 685369
    >Fax. +39 0376 685625
    >mail: marco.monicelli@marcegaglia.com
    >
    >
    >
    >
    >
    >
    > "Skander Ben
    >
    >
    > Mansour" To:
    >"'Monty Ree'" <chulmin2@hotmail.com>,
    ><focus-linux@securityfocus.com>
    > <securityfocus@benm cc:
    >
    >
    > ansour.net> Subject: RE:
    >just running tcpdump makes promisc mode?
    >
    >
    >
    >
    > 24/06/2004 18.47
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >Hi Monty,
    >
    >This might be a sign that your system has been compromised and
    >a rootkit installed.
    >
    >Some rootkits contain sniffers that set the network interface
    >card into promiscuous mode. The objective is to capture
    >passwords or other interesting traffic on the network of the
    >compromised host.
    >
    >How is that relevant to your situation?
    >
    >In order not to be detected, the rootkit subverts the output
    >of ifconfig not to show the PROMISC flag on the sniffing
    >interface. (The rootkit actually replaces the ifconfig program
    >by a trojan, along with many many other common system programs
    >like ps, ls, top,...)
    >
    >This sometimes results in ifconfig not displaying the
    >promiscuous state of an interface that was legitimately set in
    >promiscuous mode by the administrator (e.g. when running
    >tcpdump or snort).
    >
    >An example of such rootkit is the T0rn rootkit described on the website
    >below: http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html
    >
    >Good luck in your investigations.
    >
    >Best Regards,
    >
    >Skander Ben Mansour, CISSP
    >
    >
    >-----Original Message-----
    >From: Monty Ree [mailto:chulmin2@hotmail.com]
    >Sent: Wednesday, June 23, 2004 9:21 AM
    >To: focus-linux@securityfocus.com
    >Subject: just running tcpdump makes promisc mode?
    >
    >
    >Hello, all.
    >
    >I have operated redhat linux 7.x whcih kernel is 2.4.26.
    >When I run tcpdump or snort, the dmesg is seen like below.
    >
    >"device eth0 entered promiscuous mode"
    >
    >and when I stop tcpdump or snort, the dmesg is seen like below.
    >
    >"device eth0 left promiscuous mode"
    >
    >But I can't find PROMISC message when I execute ifconfig while
    >tcpdump or snort.
    >
    >Why the result of the dmesg and ifconfig is different?
    >
    >
    >
    >Thanks in advance.
    >
    >_________________________________________________________________
    >MSN Messenger를 통해 온라인상에 있는 친구와 대화를 나누세요. http://messenger.msn.co.kr
    >
    >
    >
    >
    >______________________________________________________________________
    >This email has been scanned for viruses by the Email
    >Protection Agency For more information please visit
    >http://www.epagency.net
    >
    >______________________________________________________________________
    >

    DISCLAIMER:
    **********************************************************************
    This email is from Regent Sixth Form College, but expresses the views
    of the sender and not necessarily the views of the college. The email
    and any files transmitted with it are confidential to the intended
    recipient at the e-mail address to which it has been addressed.
    It may not be disclosed or used by any other than that addressee,
    nor may it be copied in any way. If received in error,
    please notify ChrisS@regent-college.ac.uk quoting the name of
    the sender.

    Please note that we cannot accept any responsibility for any
    transmitted viruses. It is, therefore, your responsibility to scan
    attachments (if any).
    **********************************************************************


  • Next message: Rodrigo Campos: "Re: just running tcpdump makes promisc mode?"

    Relevant Pages

    • RE: just running tcpdump makes promisc mode?
      ... rootkit installed. ... ifconfig not to show the PROMISC flag on the sniffing interface. ... administrator (e.g. when running tcpdump or snort). ...
      (Focus-Linux)
    • RE: just running tcpdump makes promisc mode?
      ... Just two words to say that modern rootkit (pardon me my friend but Tornkit ... is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc ... of an interface that was legitimately set in promiscuous mode by the ... administrator (e.g. when running tcpdump or snort). ...
      (Focus-Linux)
    • Re: chkrootkit help
      ... If you've been nailed by a rootkit, you should not trust netstat, ... ifconfig, ps, etc anymore. ... > xl0 is not promisc ...
      (FreeBSD-Security)
    • Re: just running tcpdump makes promisc mode?
      ... > Just two words to say that modern rootkit (pardon me my friend but Tornkit ... > is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc ... > the promisc mode set by the admin. ... > administrator (e.g. when running tcpdump or snort). ...
      (Focus-Linux)
    • Re: Linux, tcpdump and vlan
      ... the promisc flag in my opinion. ... For example when you run 'ifconfig' during 'tcpdump', the interface does not have the promiscuous flag set!! ... starting tcpdump instance 2 bumps the ref count in packet_mc_add ... Had tcpdump manually set/cleared the promisc flag, the interface would have stayed promisc after tcpdump was killed. ...
      (Linux-Kernel)