From owner-freebsd-security  Tue Dec  7 22: 5:43 1999
Delivered-To: freebsd-security@freebsd.org
Received: from thunk.crazylogic.net (thunk.crazylogic.net [199.45.111.154])
	by hub.freebsd.org (Postfix) with ESMTP id 8255F14C48
	for <freebsd-security@freebsd.org>; Tue,  7 Dec 1999 22:05:40 -0800 (PST)
	(envelope-from matt@crazylogic.net)
Received: from localhost (matt@localhost)
	by thunk.crazylogic.net (8.9.3/8.9.3) with ESMTP id AAA68959
	for <freebsd-security@freebsd.org>; Wed, 8 Dec 1999 00:58:23 -0500 (EST)
	(envelope-from matt@crazylogic.net)
Date: Wed, 8 Dec 1999 00:58:23 -0500 (EST)
From: Matt Gostick <matt@crazylogic.net>
To: freebsd-security@freebsd.org
Subject: ethernet promiscuous mode.
Message-ID: <Pine.BSF.4.10.9912080049330.68943-100000@thunk.crazylogic.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I looked in logs tonight and found this wierd entry tonight:
 
Dec  7 23:36:37 thunk /kernel: vr0: promiscuous mode enabled

At the time two other users where ssh'd in but where idle for
quite some time.

It is my understanding that promiscuous mode is used for sniffers
so they can capture all packets...  Is there any other reason why
my ethernet card would go into promiscuous mode without root (me) 
telling it to?  Or is it more probable that someone hacked root
and is sniffing other machines on the network from my box?

30 minutes later when I did ifconfig -a the vr0 device was not in
PROMISC mode...

Thanks for any input,
Matt.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message