rkhunter & promisc. broadcast on NIC

Discuss Applications
Post Reply
User avatar
Basher52
guru
guru
Posts: 916
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

rkhunter & promisc. broadcast on NIC

Post by Basher52 » Thu Aug 04, 2011 3:00 am

I just saw this on my eth0 NIC:

Code: Select all

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.3.8 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Possible promiscuous interfaces:
         'ifconfig' command output:
             eth0      Link encap:Ethernet  HWaddr 00:19:66:05:C8:ED  
                       UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
         'ip' command output:
             eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

----------------------- End Rootkit Hunter Scan -----------------------
What does this mean?
Do I got a rootkit on it?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Re: rkhunter & promisc. broadcast on NIC

Post by Void Main » Thu Aug 04, 2011 7:39 pm

I'm pretty sure it means you have rkhunter installed.

User avatar
Basher52
guru
guru
Posts: 916
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: rkhunter & promisc. broadcast on NIC

Post by Basher52 » Fri Aug 05, 2011 1:42 am

hehe good answer, but it is that application that makes it promiscuous?
promiscuous for me sounds not good :(

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Re: rkhunter & promisc. broadcast on NIC

Post by Void Main » Fri Aug 05, 2011 5:28 am

Are you running anything that would have the interface open in promiscuous mode? i.e. snort, tcpdump, wireshark, some network monitoring/statistics app?

User avatar
Basher52
guru
guru
Posts: 916
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: rkhunter & promisc. broadcast on NIC

Post by Basher52 » Sun Aug 07, 2011 3:35 pm

Well now when you ask, I remembered that I used tcpdump for a while

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Re: rkhunter & promisc. broadcast on NIC

Post by X11 » Tue Dec 13, 2011 9:48 pm

Promiscous mode just means your network card can 'listen in,' you are worried about nothing.

User avatar
Basher52
guru
guru
Posts: 916
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: rkhunter & promisc. broadcast on NIC

Post by Basher52 » Wed Dec 14, 2011 12:26 pm

Well, I just wanna be sure that's no one was poking around :P

Post Reply