Date: Sat, 25 Dec 2004 22:45:53 -0500 (EST) From: "Jerry Bell" <jerry@syslog.org> To: "Bob Ababurko" <ababurko@adelphia.net> Cc: freebsd-security@freebsd.org Subject: Re: odd log mesage...looks serious Message-ID: <4531.24.98.86.57.1104032753.squirrel@24.98.86.57> In-Reply-To: <41CDA5C0.3000105@adelphia.net> References: <41CDA5C0.3000105@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
If you haven't been running trafshow, tcpdump, ngrep or some other traffic sniffer, more than likely someone has hacked you. I believe it takes root privileges to put the interface into promiscuous mode. If this is the case, the attacker is likely sniffing for passords and/or email traffic, since this looks like a mail server. Lately, it seems that a lot of hackers are not affecting the system to the point that the owner would notice (ie changing passwords, etc), so they can hang on to it for a while. Generally, its for spamming purposes these days, but it's hard to say. Jerry http://www.syslog.org > hello all- > > and a happy holiday to all you geeks that are in front of the crt! > > I found these log messages in my logs and I am not sure what some of > them signify. > > Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 > to 200 packets/sec > Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 > to 200 packets/sec > Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 > to 200 packets/sec > > I understand the "Limiting closed port RST response". ....but what are > the promiscuous mode enabled and disabled on my NIC? I am not doing > this, so who or what is doing this. Or better yet, what does this mean? > I have a fear that this one is serious. So what I need is some > direction into finding out how this occurs and what I can do to stop it. > > thanks, > Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4531.24.98.86.57.1104032753.squirrel>