promiscuous mode

Teo Fonrouge fedora-list at windtelsoft.com
Tue Aug 23 19:24:52 UTC 2005 

Oliver Leitner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> Teo Fonrouge wrote:
> 
> | Oliver Leitner wrote:
> |
> |> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
> |>
> |> Teo Fonrouge wrote:
> |>
> |> | Hello, | | Using a FC4 box. | | Checking in my
> |> /var/log/messages file I noticed that the kernel has |  setting
> |> my eth0 interface in promiscuous mode regularly: | | Aug 21
> |> 14:30:38 sx1 kernel: eth0: Setting promiscuous mode. Aug 21 |
> |> 14:30:38 sx1 kernel: device eth0 entered promiscuous mode Aug 21
> |> | 14:30:38 sx1 kernel: bridge-eth0: enabled promiscuous mode Aug
> |> 21 | 14:31:36 sx1 kernel: device eth0 left promiscuous mode Aug
> |> 21 | 14:31:36 sx1 kernel: bridge-eth0: disabled promiscuous mode
> |> Aug 21 | 14:31:36 sx1 kernel: eth0: Setting promiscuous mode. Aug
> |> 21 | 14:31:36 sx1 kernel: device eth0 entered promiscuous mode
> |> Aug 21 | 14:31:36 sx1 kernel: bridge-eth0: enabled promiscuous
> |> mode | | I believe that I haven't ran any program that causes
> |> this. | | It is a normal kernel operation ? | | How can I know
> |> what is causing this ? | | | best regards | | Teo Fonrogue | does
> |> any of these programs ring a bell?:
> |>
> |> iptraf tcpdump ethereal
> |
> |
> | None of this programs was running at such time.
> |
> |>
> |> or any other monitoring program?
> |
> |
> | Nope. :(
> |
> |>
> |> greetings oliver
> |
> |
> | Thank you Oliver
> |
> |
> |
> | best regards
> |
> | Teo Fonrouge
> |
> then try to look through user history, at your commandprompt type
> history, best with a less or a more combined, and look what has been
> started the past few days...
> 
> if none of it shows up well, get rkhunter, and check for any running
> backdoors....
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> 
> iD8DBQFDC3UUxHPquN24yVsRA2htAJ4/Cprlrf0IuOugfelF2NMh0IUs8wCeOFbY
> 5W3ic4oQ68an1ART5jK2MoM=
> =yaSf
> -----END PGP SIGNATURE-----
> 

rkhunter runned, all seems to be ok except for this message:

[...]
* Filesystem checks
    Checking /dev for suspicious files...                      [ OK ]
    Scanning for hidden files...                               [ Warning! ]
---------------
  /dev/.udevdb  /usr/share/man/man1/..1.gz  /etc/.pwd.lock
---------------
Please inspect:  /dev/.udevdb (directory)
[...]

really don't know what it means.

I'll try checking for shutting down some services in this box & see results.


Thank you for your help Oliver



best regards

Teo Fonrouge

More information about the fedora-list mailing list