On Monday 29 September 2003 12:53, manny wrote:
> On Sun, 28 Sep 2003, Bopolissimus Platypus wrote:
> > however. if eth0 is in promisc mode and you don't know why, and if
> > one of your people didn't put it in promisc mode then you are probably
> > rooted.
>
> Uh oh!
>
> Well, actually, I used sniffit a few times. I believe a packet sniffer
> puts eth0 into promiscuous mode.
ahh, right. packet sniffers and IDSs might have put you in promisc
mode. if you stop all of those (temporarily, and make sure they
can't start again, e.g., they might be started by at or crond), does
your eth0 still go into promisc?
does sniffit *leave* your interface in promisc mode even after you stop
running sniffit? any well behaved sniffer should disable promisc when
it exits or at least leave promisc status in whatever state it found it when
it started (which should generally be -promisc).
> Also, I used the ifconfig command you suggested, and version 0.42a syas it
> still IS in promiscuous mode while version 0.41 says it is NOT.
i don't use chkrootkit, so i don't know what that's doing. anyway, if one
of them says you're in promisc, then the thing to do is run some other
tool that'll tell you whether the interface is promisc or not. i'd use
ifconfig. not that i'd trust it :). if there's a possibility that you've
been rooted, you can't trust anything on that box anymore. you'll
have to detect it some other way. e.g., put it behind a firewall and then
leave it alone (don't use it for anything) and have the firewall detect all
network connections or inward. if it's been rooted and tries to phone
home, you'll see it in the firewall logs.
on the other hand, it could be a long wait :). so maybe go ahead and
keep looking on that box to see if there's anything suspicious :).
> Is there any other utility I can use to see if eth0 is in prmiscuous mode?
> I guess chkrootkit won't cut it this time.
ifconfig eth0
and see if PROMISC is in there. e.g.:
[EMAIL PROTECTED] /]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:E0:98:00:25:9F
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
ok, i'm in promisc mode because i set it earlier. to turn it off:
[EMAIL PROTECTED] /]# ifconfig eth0 -promisc
and to check:
[EMAIL PROTECTED] /]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:E0:98:00:25:9F
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
ok, not in promisc mode anymore.
but again, if you suspect you've been rooted, don't trust what anything (e.g.
ifconfig) says.
tiger
--
Gerald Timothy Quimpo gquimpo*hotmail.com tiger*sni*ph
http://bopolissimus.sni.ph
Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78"
To fear love is to fear life, and those who fear life are
already three parts dead.
Bertrand Russell
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
