Oliver Leitner wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Teo Fonrouge wrote: | Oliver Leitner wrote: | |> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 |> |> Teo Fonrouge wrote: |> |> | Hello, | | Using a FC4 box. | | Checking in my |> /var/log/messages file I noticed that the kernel has | setting |> my eth0 interface in promiscuous mode regularly: | | Aug 21 |> 14:30:38 sx1 kernel: eth0: Setting promiscuous mode. Aug 21 | |> 14:30:38 sx1 kernel: device eth0 entered promiscuous mode Aug 21 |> | 14:30:38 sx1 kernel: bridge-eth0: enabled promiscuous mode Aug |> 21 | 14:31:36 sx1 kernel: device eth0 left promiscuous mode Aug |> 21 | 14:31:36 sx1 kernel: bridge-eth0: disabled promiscuous mode |> Aug 21 | 14:31:36 sx1 kernel: eth0: Setting promiscuous mode. Aug |> 21 | 14:31:36 sx1 kernel: device eth0 entered promiscuous mode |> Aug 21 | 14:31:36 sx1 kernel: bridge-eth0: enabled promiscuous |> mode | | I believe that I haven't ran any program that causes |> this. | | It is a normal kernel operation ? | | How can I know |> what is causing this ? | | | best regards | | Teo Fonrogue | does |> any of these programs ring a bell?: |> |> iptraf tcpdump ethereal | | | None of this programs was running at such time. | |> |> or any other monitoring program? | | | Nope. :( | |> |> greetings oliver | | | Thank you Oliver | | | | best regards | | Teo Fonrouge | then try to look through user history, at your commandprompt type history, best with a less or a more combined, and look what has been started the past few days... if none of it shows up well, get rkhunter, and check for any running backdoors.... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFDC3UUxHPquN24yVsRA2htAJ4/Cprlrf0IuOugfelF2NMh0IUs8wCeOFbY 5W3ic4oQ68an1ART5jK2MoM= =yaSf -----END PGP SIGNATURE-----
rkhunter runned, all seems to be ok except for this message: [...] * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /dev/.udevdb /usr/share/man/man1/..1.gz /etc/.pwd.lock --------------- Please inspect: /dev/.udevdb (directory) [...] really don't know what it means. I'll try checking for shutting down some services in this box & see results. Thank you for your help Oliver best regards Teo Fonrouge