odd log mesage...looks serious

Jerry Bell jerry at syslog.org
Sun Dec 26 07:34:47 PST 2004


If you haven't been running trafshow, tcpdump, ngrep or some other traffic
sniffer, more than likely someone has hacked you.  I believe it takes root
privileges to put the interface into promiscuous mode.
If this is the case, the attacker is likely sniffing for passords and/or
email traffic, since this looks like a mail server.

Lately, it seems that a lot of hackers are not affecting the system to the
point that the owner would notice (ie changing passwords, etc), so they
can hang on to it for a while.  Generally, its for spamming purposes these
days, but it's hard to say.

Jerry
http://www.syslog.org
> hello all-
>
> and a happy holiday to all you geeks that are in front of the crt!
>
> I found these log messages in my logs and I am not sure what some of
> them signify.
>
> Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221
> to 200 packets/sec
> Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241
> to 200 packets/sec
> Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled
> Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled
> Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled
> Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled
> Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201
> to 200 packets/sec
>
> I understand the "Limiting closed port RST response". ....but what are
> the promiscuous mode enabled and disabled on my NIC?  I am not doing
> this, so who or what is doing this.  Or better yet, what does this mean?
>   I have a fear that this one is serious.  So what I need is some
> direction into finding out how this occurs and what I can do to stop it.
>
> thanks,
> Bob
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>




More information about the freebsd-security mailing list