Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[luquino]

Hi!
Today I was looking at dmesg for some reasons and I found this:

Code: [Select]

Jul 24 17:22:28 luca-desktop kernel: [34910.505086] device eth0 entered promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.510325] device eth0 left promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.525450] device lo entered promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.528138] device lo left promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.555142] device eth0 entered promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.558138] device eth0 left promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.564138] device lo entered promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.567137] device lo left promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.593144] device eth0 entered promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.596160] device eth0 left promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.602143] device lo entered promiscuous mode
Jul 24 17:22:28 luca-desktop kernel: [34910.605138] device lo left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.639526] device eth0 entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.662358] device eth0 left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.677601] device lo entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.680016] device lo left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.698028] device eth0 entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.701019] device eth0 left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.707024] device lo entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.723436] device lo left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.748030] device eth0 entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.751020] device eth0 left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.757020] device lo entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.760021] device lo left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.785026] device eth0 entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.788020] device eth0 left promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.794020] device lo entered promiscuous mode
Jul 24 17:22:29 luca-desktop kernel: [34910.797017] device lo left promiscuous mode
Jul 24 17:22:32 luca-desktop kernel: [34913.687027] device eth0 entered promiscuous mode
Jul 24 17:22:32 luca-desktop kernel: [34913.691024] device eth0 left promiscuous mode
Jul 24 17:22:32 luca-desktop kernel: [34913.697028] device lo entered promiscuous mode
Jul 24 17:22:32 luca-desktop kernel: [34913.700021] device lo left promiscuous mode
a quick investigation on google tells me that probably someone was sniffing my data.
Actually chkrootkit said:

Checking `lkm'...                                           You have     1 process hidden for readdir command
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

So I switched off amule and rebooted the pc.
After reboot chkrootkit was clean, but I found this in dmesg:

[   37.777080] UDP: bad checksum. From 80.36.171.166:7265 to 192.168.1.30:42220 ulen 48
[   60.280898] UDP: bad checksum. From 84.121.185.222:42212 to 192.168.1.30:42220 ulen 48
[ 1065.304055] UDP: bad checksum. From 77.231.12.197:5588 to 192.168.1.30:42220 ulen 47
[ 1718.102674] UDP: bad checksum. From 99.241.159.166:16464 to 192.168.1.30:42220 ulen 59
luca@luca-desktop:~$

42220 was my UDP port for aMule, now I changed it.
Actually it is quite a long time that I find some lines about "udp bad checksum..." in dmesg, so probably my internet connection was under attack since the same time and finally this "gentleman" has found a weakness in amule to exploit.

Is there something I can do against it?

edit: sorry I forgot to specify. I' m using aMule 2.2.5 , compiled from source,  on ubuntu 9.04 AMD64

[lfroen]

Unless you're running amule as root, I can't see how someone exploited it to install LKM rootkit.

[luquino]

no, I never use amule as root.

I use a script to activate iptables as firewall that close all the doors unless a program needs to open a specified port. I tested it enough with a couple of  internet sites that offer free port scanning and it seems  to work fine. Actually I' m not an expert in security and rootkit, but reading manuals and guides I understand that this should be enough.

I don't know if someone has installed something on my pc and I wish to know how to discover it, but with amule switched off the attacker couldn't sniff any more so I suppose that he didn't install nothing, he just was doing something trough the port 42220, protocol UDP,  that was opened for amule.
Am I wrong?

[^marcell^]

Promiscuous mode is used to let you sniff data regardless of the destination host. Why would a hacker enable this? Can you post the result of your "quick google investigation"?

"UDP: bad checksum" indicates corrupt packets. Again: why would a hacker send you corrupt packets? Also there are different source addresses in those messages.

Observe your system and logs a little bit and tell us what happened. I am curious.

[Kry]

Are you sure your dhcp daemon wasn't crashing?

[Stu Redman]

Promiscuous mode is used to let you sniff data regardless of the destination host.

Also for virtual machines if they want to have their own MAC/IP.

[luquino]

well, I changed the ports amule needs to work. Switching off/on the router I changed the IP as well.
I found no more warnings in chkrootkit, and dmesg is clean.
In the last 24 hours I red something about that issue over the web. It appears to be a well known issue of chkrootkit to give false positives of LKM trojan infection.

@StuRedman
Yes I have a Virtual machine running as well.

@Kry
In the logs (messages / kernels / daemons) there are no lines regarding problems with dhcp, furthermore I don't use never dhcp because I don't like it.

@marcell
I just put  "device eth0 entered promiscuous mode" in google and the first three occurrences are these:
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-09/0582.html
http://lists.olug.org/pipermail/olug/2000-April/001010.html
http://www.mombu.com/gnu_linux/mandriva/t-devide-eth0-entered-promiscuous-mode-what-does-this-mean-1488785.html

Putting away chkrootkit and his false positive, all the people in the above discussions say that is not very nice that eth0 enter the promiscuous mode in that way. That has switched me nervous.

Anyway, I want all of you keep very clear that I was not blaming aMule, I use it since 3 years and I am totally happy with it. I just got in panic because is the first time that something like that happens to me and I was asking your opinion.

If you say that I can do something just in case, please tell me.
If you want to log for a while my pc, no problem.
If you say that I can put my mind at rest, I' ll do.

Thank you.

[lfroen]

Most chances you're running virtual machine with network in bridged mode. Which mean, like Stu says, VM need to send/receive packets with MAC different from one on physical network card.
Hence, promiscuous mode.

[luquino]

ok, thank you for your help.
I appreciate it a lot.   

[luquino]

mmmhhhhh what could be this?

[56174.664995] possible SYN flooding on port 12820. Sending cookies.
[56277.075430] possible SYN flooding on port 12820. Sending cookies.
[56479.369499] possible SYN flooding on port 12820. Sending cookies.
[56986.284226] possible SYN flooding on port 12820. Sending cookies.

12820 is the  new TCP port for amule.

[^marcell^]

Sounds very odd.

I would suggest you to install wireshark and sniff on the affected network connection to get details about what's happening.

[luquino]

I am checking the connection with etherape, since a couple of days, but my I'm not experienced in this  things. Can you give me some details about what I have to look for, sniffing my connection?