From owner-freebsd-security Wed Dec 8 2:27: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 7537014C57 for ; Wed, 8 Dec 1999 02:27:03 -0800 (PST) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 11veIe-0000F6-00; Wed, 08 Dec 1999 10:26:20 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 11veIg-0006zR-00; Wed, 8 Dec 1999 10:26:22 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Matt Gostick Cc: freebsd-security@freebsd.org Subject: Re: ethernet promiscuous mode. In-reply-to: Your message of "Wed, 08 Dec 1999 00:58:23 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 08 Dec 1999 10:26:22 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hypothesising, anything that wants to be less specific than usual about the destination IP address might use promiscuous mode: * user-mode BOOTP client * user-mode DHCP client * multi-cast reception * packet sniffer * intrusion detection system (to sniff packets!) * &c, &c > 30 minutes later when I did ifconfig -a the vr0 device was not in > PROMISC mode... Are you *sure*? If someone *has* "cracked" you and installed a rootkit "ifconfig" might have been replaced by a modified version that does not report the true facts - I'd reccommend (at least) deliberately putting the interface into promiscuous mode yourself and double- checking that "ifconfig" reports the fact correctly... -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message