hello all- and a happy holiday to all you geeks that are in front of the crt! I found these log messages in my logs and I am not sure what some of them signify. Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 to 200 packets/sec I understand the "Limiting closed port RST response". ....but what are the promiscuous mode enabled and disabled on my NIC? I am not doing this, so who or what is doing this. Or better yet, what does this mean? I have a fear that this one is serious. So what I need is some direction into finding out how this occurs and what I can do to stop it. thanks, Bob
The most common situation in which you'll see such messages is when a program (often tcpdump) is sniffing packets on an interface via bpf. (tcpdump normaly shifts the interface into promiscuous mode so it can see every packet an interface receives, even if it's not bound for that machine.) If you were not running tcpdump or something similar, it's possible that a sniffer has been planted on your machine. --Brett Glass At 10:39 AM 12/25/2004, Bob Ababurko wrote:>hello all- > >and a happy holiday to all you geeks that are in front of the crt! > >I found these log messages in my logs and I am not sure what some of them signify. > >Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec >Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec >Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled >Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled >Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled >Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled >Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 to 200 packets/sec > >I understand the "Limiting closed port RST response". ....but what are the promiscuous mode enabled and disabled on my NIC? I am not doing this, so who or what is doing this. Or better yet, what does this mean? I have a fear that this one is serious. So what I need is some direction into finding out how this occurs and what I can do to stop it. > >thanks, >Bob >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Have you run any program such as trafshowor iftop, they make that apear in my logs.> hello all- > > and a happy holiday to all you geeks that are in front of the crt! > > I found these log messages in my logs and I am not sure what some of > them signify. > > Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 > to 200 packets/sec > Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 > to 200 packets/sec > Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 > to 200 packets/sec > > I understand the "Limiting closed port RST response". ....but what are > the promiscuous mode enabled and disabled on my NIC? I am not doing > this, so who or what is doing this. Or better yet, what does this mean? > I have a fear that this one is serious. So what I need is some > direction into finding out how this occurs and what I can do to stop it. > > thanks, > Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >
If you haven't been running trafshow, tcpdump, ngrep or some other traffic sniffer, more than likely someone has hacked you. I believe it takes root privileges to put the interface into promiscuous mode. If this is the case, the attacker is likely sniffing for passords and/or email traffic, since this looks like a mail server. Lately, it seems that a lot of hackers are not affecting the system to the point that the owner would notice (ie changing passwords, etc), so they can hang on to it for a while. Generally, its for spamming purposes these days, but it's hard to say. Jerry http://www.syslog.org> hello all- > > and a happy holiday to all you geeks that are in front of the crt! > > I found these log messages in my logs and I am not sure what some of > them signify. > > Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 > to 200 packets/sec > Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 > to 200 packets/sec > Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 > to 200 packets/sec > > I understand the "Limiting closed port RST response". ....but what are > the promiscuous mode enabled and disabled on my NIC? I am not doing > this, so who or what is doing this. Or better yet, what does this mean? > I have a fear that this one is serious. So what I need is some > direction into finding out how this occurs and what I can do to stop it. > > thanks, > Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >