From owner-freebsd-security@FreeBSD.ORG Thu Feb 12 10:49:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CEF316A4CE for ; Thu, 12 Feb 2004 10:49:51 -0800 (PST) Received: from web25102.mail.ukl.yahoo.com (web25102.mail.ukl.yahoo.com [217.12.10.50]) by mx1.FreeBSD.org (Postfix) with SMTP id 816A543D2F for ; Thu, 12 Feb 2004 10:49:50 -0800 (PST) (envelope-from teppic11@yahoo.co.uk) Message-ID: <20040212184949.78816.qmail@web25102.mail.ukl.yahoo.com> Received: from [82.47.145.208] by web25102.mail.ukl.yahoo.com via HTTP; Thu, 12 Feb 2004 18:49:49 GMT Date: Thu, 12 Feb 2004 18:49:49 +0000 (GMT) From: =?iso-8859-1?q?Stefano=20Busti?= To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Dubious ifconfig / tcpdump behaviour X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 18:49:51 -0000 Hi, I have a FreeBSD 4.8 box connected to the net which until recently hasn't had any problems. Today DNS lookups mysteriously stopped working (the box has tinydns & dnscache installed to handle dns requests). I noticed some strange things while checking the problem with tcpdump. Tcpdump appears not to show any traffic whatsoever on either my external interface or internal lan interface, this despite the fact I was successfully pinging hosts over both interfaces from a different console while checking the traffic. I do get notified about promiscuous mode being enabled and disabled as normal, and a message at the end saying that packets were successfully received by the kernel. I just don't see the actual packets. Tcpdump had always worked fine before, and still works normally on the loopback interface. Also I seem to be unable to disable either of the affected interfaces with ifconfig, whereas in the past I never had a problem doing this. Requests to bring either interface down are silently ignored. Does anyone have an idea what the cause could be? Have I overlooked some obvious configuration issue, or might tcpdump, ifconfig or any system routines they call have been compromised? Sadly I hadn't installed an intrusion detector such as tripwire previously, and system logs don't _appear_ to show evidence of any compromise. ___________________________________________________________ BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk