From owner-freebsd-security@FreeBSD.ORG Sat Dec 25 17:53:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7823816A4CE for ; Sat, 25 Dec 2004 17:53:10 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AD0E43D49 for ; Sat, 25 Dec 2004 17:53:08 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA09615; Sat, 25 Dec 2004 10:52:55 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041225104714.05f27c58@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Sat, 25 Dec 2004 10:52:52 -0700 To: Bob Ababurko , freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <41CDA5C0.3000105@adelphia.net> References: <41CDA5C0.3000105@adelphia.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: odd log mesage...looks serious X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Dec 2004 17:53:10 -0000 The most common situation in which you'll see such messages is when a program (often tcpdump) is sniffing packets on an interface via bpf. (tcpdump normaly shifts the interface into promiscuous mode so it can see every packet an interface receives, even if it's not bound for that machine.) If you were not running tcpdump or something similar, it's possible that a sniffer has been planted on your machine. --Brett Glass At 10:39 AM 12/25/2004, Bob Ababurko wrote: >hello all- > >and a happy holiday to all you geeks that are in front of the crt! > >I found these log messages in my logs and I am not sure what some of them signify. > >Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec >Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec >Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled >Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled >Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled >Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled >Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 to 200 packets/sec > >I understand the "Limiting closed port RST response". ....but what are the promiscuous mode enabled and disabled on my NIC? I am not doing this, so who or what is doing this. Or better yet, what does this mean? I have a fear that this one is serious. So what I need is some direction into finding out how this occurs and what I can do to stop it. > >thanks, >Bob >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"