Happy new year, everyone. I just got back to Davis and noticed the
harddrive running continuously on the router. It's so busy I can
barely log in.
Checking the log, I see:
Jan 2 18:03:08 sorrento : Security warning : eth0 is in promiscuous mode.
Jan 2 18:03:09 sorrento : A sniffer is probably running on your system.
Jan 2 18:03:12 sorrento : Security warning : eth1 is in promiscuous mode.
Jan 2 18:03:14 sorrento : A sniffer is probably running on your system.
I did run nmap last quarter on the system so maybe that's what caused it.
I also see (notice the time interval):
...
Jan 1 07:13:05 sorrento syslogd 1.3-3: restart.
Jan 1 07:17:08 sorrento syslogd 1.3-3: restart.
Jan 1 07:21:04 sorrento syslogd 1.3-3: restart.
Jan 1 07:26:54 sorrento syslogd 1.3-3: restart.
Jan 1 07:31:52 sorrento syslogd 1.3-3: restart.
Jan 1 07:36:36 sorrento syslogd 1.3-3: restart.
Jan 1 07:40:44 sorrento syslogd 1.3-3: restart.
Jan 1 07:43:59 sorrento syslogd 1.3-3: restart.
...
(The same happens on December 31th and 24th). Also portsentry
attempted to block out the following servers (which it couldn't because of
the way I setup my tcp wrapper):
ALL: 63.197.184.28
ALL: 211.39.97.178
ALL: 211.44.132.16
ALL: 216.250.78.210
ALL: 61.139.83.154
ALL: 211.47.221.2
ALL: 211.44.188.66
Here's my `ps aefxwww` output (trimmed to 80 columns):
PID TTY STAT TIME COMMAND
1 ? S 0:10 init [3] HOME=/ TERM=linux BOOT_IMAGE=linux-fb
2 ? SW 0:54 [kflushd]
3 ? SW 0:29 [kupdate]
4 ? SW 0:00 [kpiod]
5 ? SW 60:53 [kswapd]
6 ? SW< 0:00 [mdrecoveryd]
336 ? S 21:28 syslogd -m 0 PWD=/ HOSTNAME=sorrento.localnet.enet CO
357 ? S 0:10 crond PWD=/ HOSTNAME=sorrento.localnet.enet CONSOLE=/
4479 ? SW 0:00 \_ [crond]
4481 ? SW 0:00 | \_ [run-parts]
4499 ? SW 0:00 | | \_ [logrotate]
4500 ? D 733:51 | | \_ /usr/sbin/logrotate /etc/logrotate.co
4501 ? SW 0:00 | \_ [sendmail]
22404 ? SW 0:00 \_ [crond]
22407 ? SW 0:00 | \_ [security.sh]
22424 ? DN 21:55 | \_ /usr/bin/msec_find / /home /usr/local PWD
22447 ? SW 0:00 \_ [crond]
22449 ? SW 0:00 | \_ [run-parts]
22467 ? SW 0:00 | | \_ [logrotate]
22468 ? D 92:44 | | \_ /usr/sbin/logrotate /etc/logrotate.co
22469 ? SW 0:00 | \_ [sendmail]
9610 ? SW 0:00 \_ [crond]
9613 ? SW 0:00 | \_ [security.sh]
9630 ? DN 21:48 | \_ /usr/bin/msec_find / /home /usr/local PWD
9652 ? S 0:00 \_ CROND PWD=/ HOSTNAME=sorrento.localnet.enet CONSO
9654 ? S 0:00 | \_ bash /usr/bin/run-parts /etc/cron.daily PWD=/
31797 ? S 0:00 | | \_ sh /etc/cron.daily/slocate.cron PWD=/ HOS
31798 ? R 2:37 | | \_ /usr/bin/slocate -u -f NFS,SMBFS,NCPF
9674 ? SW 0:00 | \_ [sendmail]
24294 ? SW 0:00 \_ [crond]
24296 ? SW 0:00 \_ [run-parts]
24314 ? SW 0:00 | \_ [logrotate]
24315 ? D 31:19 | \_ /usr/sbin/logrotate /etc/logrotate.co
24316 ? SW 0:00 \_ [sendmail]
383 ? SW 0:00 [lpd]
440 ? SW 0:02 [gpm]
454 ? S 0:09 xfs -port -1 -daemon PWD=/ HOSTNAME=sorrento.localnet
502 ? S 0:03 /usr/local/sbin/sshd PWD=/ HOSTNAME=sorrento.localnet
31381 ? S 0:12 \_ /usr/local/sbin/sshd PWD=/ HOSTNAME=sorrento.loca
31824 pts/0 S 0:00 \_ -bash HOME=/home/vin USER=vin LOGNAME=vin PAT
31851 pts/0 S 0:00 \_ su PWD=/home/vin XAUTHORITY=/home/vin/.Xa
31852 pts/0 S 0:00 \_ bash PWD=/home/vin XAUTHORITY=/home/v
32003 pts/0 R 0:00 \_ ps aefxwww PWD=/var/log XAUTHORIT
652 ? S 0:16 /usr/local/pkg/psionic/portsentry/portsentry -atcp PW
655 ? S 0:00 /usr/local/pkg/psionic/portsentry/portsentry -audp PW 657
tty1 S 44:13 perl -w /usr/local/sbin/voicebox tty1 HOME=/ TERM=lin
660 tty4 SW 0:00 [mingetty]
4163 ? SW 0:00 [inetd]
30771 ? S 0:00 /sbin/vgetty ttyS0 HOME=/ TERM=linux BOOT_IMAGE=linux
31392 tty2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linu
31823 tty3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linu
Can anyone see what's going on? Thanks!
---
Mark K. Kim
http://www.cbreak.org/mark/
PGP key available upon request.