Our general webhosting server (LAMP with Parallels Plesk) started to turn PROMISCUOUS
mode ON
on eth0
"by itself".
I noticed the change in configuration on 2013-11-08 when rkhunter
warned us from "Possible promiscuous interfaces" which hadn't happened before. After a bit of googling I didn't find any real use case for promiscuous mode on our server, so I disabled it using # ifconfig eth0 -promisc
only to find out a day later the flag has been re-set.
Here's what kernel logs says:
Nov 8 14:51:31 hallinta kernel: [3301285.098047] klogd1 uses obsolete (PF_INET,SOCK_PACKET) Nov 8 14:51:31 hallinta kernel: [3301285.099528] device eth0 entered promiscuous mode Nov 11 08:34:18 hallinta kernel: [3537242.374911] device eth0 left promiscuous mode Nov 12 07:46:30 hallinta kernel: [3620559.485388] device eth0 entered promiscuous mode Nov 13 08:47:36 hallinta kernel: [3710393.877512] device eth0 left promiscuous mode Nov 14 07:53:49 hallinta kernel: [3793353.202243] device eth0 entered promiscuous mode Nov 14 09:16:03 hallinta kernel: [3798274.154435] device eth0 left promiscuous mode
I included the klogd1
message because of its immediate timestamp. From auth logs I didn't see any suspicious activity around the first "entered promiscuous mode" message.
As the two enterings' timestamps are roughly similar I checked if I had any cronjobs running around that time. Most of the daily jobs (I searched with this tool) are run at 06:25 the latest and next job is run at 08:00. None of those 06:25 jobs contained the words ifconfig
or promisc
.
What could set promiscuous mode ON on eth0
interfaces and should I be worried? (I am, but should I be?) Is there any legit reason promiscuous mode should be set on?
Best Answer
If
vnstat
is the process putting the interface in promiscuous mode, check its logfiles and see if thit is logged (depends on logging verbosity of course). If there is no reason to monitor traffic, just disable it and see how it goes.I suspect that promiscuous mode must be on while
rkhunter
is running, in order forrkhunter
to detect it.What is very very weird, is this:
AFAIK there is no such thing as
klogd1
(there is aklogd
of course), and there shouldn't be one. Take the time to check if there is a binary under that name and if there is aklogd1
process (if yes, find what it is doing). Ifvnstat
is not doing that, then there is a high chance that your machine might have been compromised.