From owner-freebsd-security  Mon Apr 24  8:10:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 8C82B37BB2F
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 Apr 2000 08:10:42 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA25571;
	Mon, 24 Apr 2000 08:09:50 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda25569; Mon Apr 24 08:09:45 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA00535;
	Mon, 24 Apr 2000 08:09:44 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdCGJ533; Mon Apr 24 08:09:30 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.9.3/8.9.1) id IAA13292;
	Mon, 24 Apr 2000 08:09:29 -0700 (PDT)
Message-Id: <200004241509.IAA13292@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdu13274; Mon Apr 24 08:08:37 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.0-STABLE
X-Sender: cy
To: Alex Michlin <alex@delete.org>
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: Your message of "Fri, 21 Apr 2000 14:26:40 EDT."
             <Pine.BSF.4.10.10004211424240.5248-100000@cx638115-d.sthngtn1.ct.home.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 24 Apr 2000 08:08:37 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.BSF.4.10.10004211424240.5248-100000@cx638115-d.sthngtn1
.ct.hom
e.com>, Alex Michlin writes:
> How can a hacker enable promiscious mode though an ftp connection?
> I did a `last` to see who, if anyone, logged on and the only logon I saw
> was an ftp connection from an @home machine.  I don't see any extra
> programs running on the machine.  Do I need to be concerned about telnet
> passwords, etc?
> 
> Apr 20 13:10:12 hostname /kernel: xl0: promiscuous mode enabled

Are you sure it's a hacker?  Do these "events" coincide with other 
events, e.g. system boot, an application starting, etc.?  For example, 
we use an application called egd (entropy gathering daemon) on our 
servers on our raised floors, which puts the interfaces into 
promiscuous mode, among other entropy gathering things done, just after 
boot to initially set up its entropy pool.  Therefore I can directly 
correlate promiscuous mode with system boot.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message