Help - Search - Members - Calendar
Full Version: chkrootkit says "eth0: PROMISC"
The Planet Forums > Security > General Security
EWD
Oct 19 2003, 07:19 PM
Hello Everyone icon_wink.gif

Let me tell the whole story here...not sure if they are related or not.

Got home and had an e-mail sent from my server by APF saying...

---------------------------Email---------------------------------
To whom it may concern;

The remote system xxx.xxx.xxx.xxx was logged attacking host yy.yy.yy.yy,
this is an automated warning; please do not ignore this message!

xxx.xxx.xxx.xxx was found to have exceeded acceptable inbound packet flow, your
APF (Advanced policy firewall) installation on this host is configured
to dispatch this e-mail and/or take other such actions.

An e-mail has been sent to admin@ev1.net based on xxx.xxx.xxx.xxx listings
in the arin.net ip-whois database. The e-mail contained log information
to help the remote network administrator determine the cause of this
incident.

Enclosed below are log portions detailing the attack, all time stamps are
GMT -0400.

APF [antidos] log:
10/19/03 19:18:01: xxx.xxx.xxx.xxx:2058 -> yy.yy.yy.yy:80
10/19/03 19:18:01: xxx.xxx.xxx.xxx -> yy.yy.yy.yy (DROPPED)

Event logs:
Oct 19 03:04:38 xxx.xxx.xxx.xxx:1967 -> 66.98.160.xx:80 SYN ******S*
Oct 19 03:01:14 xxx.xxx.xxx.xxx:2954 -> 66.98.160.xx:80 SYN ******S*
Oct 19 03:01:14 xxx.xxx.xxx.xxx:2956 -> 66.98.160.xx:80 SYN ******S*
Oct 19 03:01:14 xxx.xxx.xxx.xxx:2957 -> 66.98.160.xx:80 SYN ******S*
Oct 19 03:01:15 xxx.xxx.xxx.xxx:2961 -> 66.98.160.xx:80 SYN ******S*
Oct 19 03:01:15 xxx.xxx.xxx.xxx:2964 -> 66.98.160.xx:80 SYN ******S*
Oct 19 03:01:15 xxx.xxx.xxx.xxx:2965 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:01:10 xxx.xxx.xxx.xxx:3798 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:01:10 xxx.xxx.xxx.xxx:3804 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:01:10 xxx.xxx.xxx.xxx:3810 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:01:10 xxx.xxx.xxx.xxx:3812 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:01:10 xxx.xxx.xxx.xxx:3813 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:16:17 xxx.xxx.xxx.xxx:2044 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:16:17 xxx.xxx.xxx.xxx:2050 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:16:17 xxx.xxx.xxx.xxx:2051 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:16:17 xxx.xxx.xxx.xxx:2056 -> 66.98.160.xx:80 SYN ******S*
Oct 19 19:16:17 xxx.xxx.xxx.xxx:2058 -> 66.98.160.xx:80 SYN ******S*

- Administrative team, mydomain

-------------------end of e-amil from apf--------------------

So I do a little search and everything seems ok untill I run chkrootkit (v 0.42b) and get eth0: PROMISC

I open a ticket with EV1 they go in and reply with the following....

--------------------ticket reply-----------------------------------
Dear customer, the security system you are running appears to be
overreacting to our monitoring service, which xxx.xxx.xxx.xxx is a part of.
Your network interface does not appear to be in promiscious mode.

I suggest configuring the APF software to ignore connections from
xxx.xxx.xxx.xxx.
As we do not offer managed hosting, we will be unable to
provde technical support in configuring 3rd party services such as this.

-----------------end of ticket--------------------------

Now what do I do?

The thing that is getting me is this....

APF [antidos] log:
10/19/03 19:18:01: xxx.xxx.xxx.xxx:2058 -> yy.yy.yy.yy:80
10/19/03 19:18:01: xxx.xxx.xxx.xxx -> yy.yy.yy.yy (DROPPED)

yy.yy.yy.yy is NOT my ip number and if you look at the event logs above, it only shows my ip 2 times, the rest are IP's not used by my server but are on the same subnet.

So what's the story, am I in trouble or what?

Any help would be appreciated by this n00b here icon_wink.gif

Thanks!
amps
Oct 19 2003, 07:36 PM
If you are in promiscuous mode, you are seeing traffic to/from other servers in addition to your own.

Remove your card from promiscuous mode to get rid of those false warnings.
EWD
Oct 19 2003, 07:40 PM
QUOTE
Originally posted by amps
Remove your card from promiscuous mode to get rid of those false warnings.



How do I do that?
EWD
Oct 20 2003, 06:54 AM
Also, this happened after I installed snort using gpan's rpm.

Could snort be turning the card into promiscuous mode??
smack
Oct 20 2003, 09:16 AM
I believe that chkrootkit 42b incorrectly determines promiscuous mode when you run ./chkrootkit. Run ./ifpromisc from the chkrootkit directory to determine whether the card is actually promiscuous.

Note: this is my belief, since ifpromisc included with 42b and versions of chkrootkit older than 42b all report my cards as non-promiscuous.
EWD
Oct 20 2003, 09:37 AM
Hey smack,
It does have to do with snort being installed on my system.

It seems that is how snort is designed so it can filter the system.

If I stop snort, no warning
If I start snort, warning.


I ran ./ifpromisc and it does not show my cards being promisc so I can breath a little better now icon_biggrin.gif

Thanks for the help, really appreciate it icon_wink.gif
devo-x
Oct 21 2003, 07:40 AM
Why does the recent version of chkrootkit 42b incorrectly determine promiscuous mode? (Assuming you compiled with "make sense")

Another test to run if "promisicous mode" detected - Run the command "ip link"
EWD
Oct 21 2003, 08:45 AM
chkrootkit, in this case, is not incorrect.
Indeed promiscous mode is set due to the installation of Snort.
As understood from gpans explanation, Snort deliberatelly sets the card into promiscuos mode. By design, that is how snort filters traffic.
jd_waverly
Oct 22 2003, 02:09 PM
That is correct.
Promiscous mode is normal if you are running Snort.
smack
Oct 23 2003, 10:34 AM
You can also check your card using:

ip link show eth0

If you see PROMSC then it's in promiscuous mode. To take it out of promiscuous mode, do:

ifconfig eth0 -promisc

then restart.
ricoche
Dec 22 2003, 12:02 AM
I am not sure I understand here.

I am running chkrootkit-0.42b.
Snort was installed about a week ago.
Yesterday I upgraded the to the most recent kernel version.

Now today when chkroot runs I get the notice:

eth0: PROMISC

__________________

If I run the command ./ifpromisc I get the following output:

eth0 is not promisc
eth0:1 is not promisc
eth0:2 is not promisc
eth0:3 is not promisc
eth0:4 is not promisc

If I run the command ip link show eth0 I get the following:

2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:23:2b:e2:72 brd ff:ff:ff:ff:ff:ff

I then run ifconfig eth0 -promisc to shut down promisc.

After that I run ifconfig eth0 and get the following output:

eth0 Link encap:Ethernet HWaddr 00:04:23:2B:E2:72
inet addr:207.44.206.90 Bcast:207.44.207.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2422239 errors:0 dropped:0 overruns:0 frame:0
TX packets:1944785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:273005639 (260.3 Mb) TX bytes:1780920985 (1698.4 Mb)
Interrupt:11 Base address:0xac00 Memory:dfeff000-dfeff038

However, when I run ./chkroot from my cron.daily directory I still get the eth0: PROMISC message.

Above it was mentioned to restart something, but I don't know "what" to restart. The server? Does this mean reboot?

I am really confused about why I suddenly am getting this error and why I can't seem to get a confirmation about whether it is indeed on or off.

Thanks for any insight and/or help here.

Ricoche
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.