FYI, I experienced similar bug with Kondara, the japanese
distribution (http://www.kondara.org/) uses 2.2.x kernel.
In that case, IPv6-patch changed libpcap's behavior about
promiscuous mode to incompatible with kernel.
A patch from Tatsuo Sekine <[EMAIL PROTECTED]> fixed
this bug. Kondara's newe
On Sat, Mar 17, 2001 at 12:32:03AM -0500, S . Salman Ahmed wrote:
>
> Any other ways I can try and detect this rootkit on my systems ?
>
Knark can't function if you have disabled module loading. It is a
module, so it can't do anything if it can't be run.
Did you say that the kernel logs a mess
On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
>
> >Hi, Are you sure that this machine wasn't compromised ???
>
> this line made me wonder about what the correct output of ifconfig should
> be. I assume that if I am not listening on the port, the PROMISC entry
> should not be reporte
On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
> Is there any reason for eth0 to be showing PROMISC all the time or is this
Some apps put the card into promisc mode and do not turn off promisc
when you exit.
Hi, Are you sure that this machine wasn't compromised ???
this line made me wonder about what the correct output of ifconfig should
be. I assume that if I am not listening on the port, the PROMISC entry
should not be reported in ifconfig. I should only see PROMISC if I am
running tcpdump,
On Fri, Mar 16, 2001 at 09:04:47PM -0500, S.Salman Ahmed wrote:
>
> > "marlonsj" == marlonsj writes:
> marlonsj> Hi, Are you sure that this machine wasn't compromised ???
> marlonsj>
>
> Absolutely.
>
> I get the same behaviour from ifconfig on another sid machine (this one
> is
Check out
http://members.nbci.com/dsinet/network-sniffers/interface-promiscuity-obscurity.txt
The only other thing I can think of is, something (or someone) is resetting
interface flags (not even sure if that's still possible, the article's from '98),
or there's some subtle bug in the nic's drive
On Sat, Mar 17, 2001 at 12:32:03AM -0500, S . Salman Ahmed wrote:
>
> Any other ways I can try and detect this rootkit on my systems ?
>
Knark can't function if you have disabled module loading. It is a
module, so it can't do anything if it can't be run.
Did you say that the kernel logs a mes
On Fri, Mar 16, 2001 at 09:04:47PM -0500, S . Salman Ahmed wrote:
> I get the same behaviour from ifconfig on another sid machine (this one
> is behind my firewall, and the firewall is the sid machine I wrote about
> in my earlier email).
>
I'm definitely not seeing this behavior on my sid machin
On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
>
> >Hi, Are you sure that this machine wasn't compromised ???
>
> this line made me wonder about what the correct output of ifconfig should
> be. I assume that if I am not listening on the port, the PROMISC entry
> should not be report
On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
> Is there any reason for eth0 to be showing PROMISC all the time or is this
Some apps put the card into promisc mode and do not turn off promisc
when you exit.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscri
>Hi, Are you sure that this machine wasn't compromised ???
this line made me wonder about what the correct output of ifconfig should
be. I assume that if I am not listening on the port, the PROMISC entry
should not be reported in ifconfig. I should only see PROMISC if I am
running tcpdump,
Hi,
Are you sure that this machine wasn't compromised ???
Usually rootkits replace the ifconfig file with a
version that does not show the promiscous state.
Marlon
> --- "S.Salman Ahmed" <[EMAIL PROTECTED]> escreveu:
> >
>
> > Isn't ifconfig supposed to report if a network
> > interface i
Hi,
Are you sure that this machine wasn't compromised ???
Marlon
--- "S.Salman Ahmed" <[EMAIL PROTECTED]> escreveu: >
> Isn't ifconfig supposed to report if a network
> interface is in
> Promiscuous mode ? I thought it was.
>
> I am currently running a sid system with
> kernel-2.4.2 and the o
On Fri, Mar 16, 2001 at 09:04:47PM -0500, S.Salman Ahmed wrote:
>
> > "marlonsj" == marlonsj writes:
> marlonsj> Hi, Are you sure that this machine wasn't compromised ???
> marlonsj>
>
> Absolutely.
>
> I get the same behaviour from ifconfig on another sid machine (this one
> is
On Fri, Mar 16, 2001 at 09:04:47PM -0500, S . Salman Ahmed wrote:
> I get the same behaviour from ifconfig on another sid machine (this one
> is behind my firewall, and the firewall is the sid machine I wrote about
> in my earlier email).
>
I'm definitely not seeing this behavior on my sid machi
Hi,
Are you sure that this machine wasn't compromised ???
Usually rootkits replace the ifconfig file with a
version that does not show the promiscous state.
Marlon
> --- "S.Salman Ahmed" <[EMAIL PROTECTED]> escreveu:
> >
>
> > Isn't ifconfig supposed to report if a network
> > interface
Hi,
Are you sure that this machine wasn't compromised ???
Marlon
--- "S.Salman Ahmed" <[EMAIL PROTECTED]> escreveu: >
> Isn't ifconfig supposed to report if a network
> interface is in
> Promiscuous mode ? I thought it was.
>
> I am currently running a sid system with
> kernel-2.4.2 and the
On Fri, Mar 16, 2001 at 12:27:25AM +0100, Luc MAIGNAN wrote:
> I've seen via iplog that someone had tried to access to my server. How can I
> know who he is knowing his IP address ?
dig foo;
whois foo;
nslookup foo;
traceroute foo;
et al.
--
Aaron Ghent.
On Fri, Mar 16, 2001 at 12:27:25AM +0100, Luc MAIGNAN wrote:
> I've seen via iplog that someone had tried to access to my server. How can I
> know who he is knowing his IP address ?
dig foo;
whois foo;
nslookup foo;
traceroute foo;
et al.
--
Aaron Ghent.
--
To UNSUBSCRIBE, email to [EMAIL
20 matches
Mail list logo
