packet sniffers

packet sniffers

[Jude DaShiell]

>From reading I've done I've learned if you get one or more of these on 
your system it's because your ethernet card is running in promiscuous mode 
long enough for the packet sniffer to be installed.  When you do something 
like ifconfig eth0 -promisc up you're telling your ethernet card to only 
listen for frames broadcast specifically to it and not to listen for any 
other frames being broadcast to the left or right of your computer's 
network connection.  Unfortunately, the Linux default is to come up in 
promiscuous mode when going onto the internet especially so with Debian. 
If you get a packet sniffer the three things you can try from easiest to 
hardest are: 1) install a network switch and replace any hubs with that 
switch, 2) encrypt all internet connections including and especially 
fetchmail, 3) do a complete system reinstall and arrange for encrypted 
connections before going out onto the internet.  I use a netup script: 
#!/bin/sh poff dsl-provider ifconfig eth0 down ifconfig eth0 -promisc up 
dhclient eth0 to go onto the internet anymore.  The thing is I do the pon 
dsl-provider back in my own user account so root isn't logged in.  I can 
do most of this now with the exception of a good .fetchmailrc file.  I 
have information on doing an encrypted connection with that but am going 
to get some local linux help to make sure I'm translating it correctly for 
my own needs.  Once I get it working, I'll put the sanitized .fetchmailrc 
file up on speakup for anyone else who needs it or may need it in the 
future.  Oh, the only ways I knew the packet sniffers were there was 
because I had chkrootkit installed and running when it got installed and I 
got the email describing the system compromise.  Forewarned is forearmed.

Re: packet sniffers

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 27, 2006 at 01:43:15AM -0400, Jude DaShiell wrote:
> When you do something 
> like ifconfig eth0 -promisc up you're telling your ethernet card to only 
> listen for frames broadcast specifically to it and not to listen for any 
> other frames being broadcast to the left or right of your computer's 
> network connection. 

Quite the opposite is true actually. Putting the nic in promisc mode
tells it to listen for all packets on the network. Not putting the nic
into promisc mode tells it to just listen for packets meant for that
nic's IP address specifically.

> Unfortunately, the Linux default is to come up in 
> promiscuous mode when going onto the internet especially so with Debian. 

Wrong again. The gnu/linux default is to *not* bring up the interfaces
in promisc mode on startup. I've installed slackware, and debian on a
number of systems a number of times, and even installed gentoo
once. At no time did these installs result in bringing up the nics in
promisc mode at startup.

If what you're saying is actually what you've read, then I'd like to
have a look at the documents in question, so that I can either correct
my misinformation, or fire off an email to the authors responsible for
spreading such misinformation. Otherwise, I must conclude that you're
misinterpreting what you've read, in which case, it's no surprise to
me at all that you're dealing with packet sniffers and successful
cracking attempts on your system(s).

Greg




- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEoY0q7s9z/XlyUyARAmO1AJ9w9CAVTrGMQe04Dc+P52tqrn9vVgCgzWP9
Ja9p+KbZdWPnzbCaRZg4RDg=
=vu4J
-----END PGP SIGNATURE-----

packet sniffers

[Jude DaShiell]

I've had two different instances of them put on this system in the last 3 
days.  I know this because I have chkrootkit installed and I read the 
email chkrootkit generates.  The last install of packet sniffer didn't 
take more than an hour to accomplish either.  Other than removing dhclient 
and reinstalling it and changing all passwords on the system what else 
needs to be done to get a better control over this problem.  I leave the 
system on and logged into a user account only since I'm downloading 
podcasts with it during the day while I'm away from the system.

Re: packet sniffers

[Tyler Littlefield]

kill the users who are running them, and I don't mean just kill there
accounts, literally kill them. lol.
Later,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "Jude DaShiell" <jdashiel@shellworld.net>
To: <speakup@braille.uwo.ca>
Sent: Tuesday, June 20, 2006 3:47 AM
Subject: packet sniffers


> I've had two different instances of them put on this system in the last 3
> days.  I know this because I have chkrootkit installed and I read the
> email chkrootkit generates.  The last install of packet sniffer didn't
> take more than an hour to accomplish either.  Other than removing dhclient
> and reinstalling it and changing all passwords on the system what else
> needs to be done to get a better control over this problem.  I leave the
> system on and logged into a user account only since I'm downloading
> podcasts with it during the day while I'm away from the system.
>
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup