From owner-freebsd-security@FreeBSD.ORG Sun Dec 26 15:34:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78EB916A4CE for ; Sun, 26 Dec 2004 15:34:47 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC82A43D48 for ; Sun, 26 Dec 2004 15:34:46 +0000 (GMT) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.43 (FreeBSD)) id 1CiPLt-0007mT-SV; Sat, 25 Dec 2004 22:45:53 -0500 Received: from 24.98.86.57 (SquirrelMail authenticated user jerry@syslog.org); by www.stelesys.com with HTTP; Sat, 25 Dec 2004 22:45:53 -0500 (EST) Message-ID: <4531.24.98.86.57.1104032753.squirrel@24.98.86.57> In-Reply-To: <41CDA5C0.3000105@adelphia.net> References: <41CDA5C0.3000105@adelphia.net> Date: Sat, 25 Dec 2004 22:45:53 -0500 (EST) From: "Jerry Bell" To: "Bob Ababurko" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: odd log mesage...looks serious X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Dec 2004 15:34:47 -0000 If you haven't been running trafshow, tcpdump, ngrep or some other traffic sniffer, more than likely someone has hacked you. I believe it takes root privileges to put the interface into promiscuous mode. If this is the case, the attacker is likely sniffing for passords and/or email traffic, since this looks like a mail server. Lately, it seems that a lot of hackers are not affecting the system to the point that the owner would notice (ie changing passwords, etc), so they can hang on to it for a while. Generally, its for spamming purposes these days, but it's hard to say. Jerry http://www.syslog.org > hello all- > > and a happy holiday to all you geeks that are in front of the crt! > > I found these log messages in my logs and I am not sure what some of > them signify. > > Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 > to 200 packets/sec > Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 > to 200 packets/sec > Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 > to 200 packets/sec > > I understand the "Limiting closed port RST response". ....but what are > the promiscuous mode enabled and disabled on my NIC? I am not doing > this, so who or what is doing this. Or better yet, what does this mean? > I have a fear that this one is serious. So what I need is some > direction into finding out how this occurs and what I can do to stop it. > > thanks, > Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >