I run redhat 7.0 and have snort installed. Recently, when I went to shutdown the system I saw my main ethernet card switch out of promiscous mode, is that normal. When I run ifconfig, I do not see anything stating that the card is in promiscous mode. :confused:

Your ethernet card should not be in promiscuous mode. However it's possible that if you were playing around with sniffers (eg: snort's sniffer mode), then it would have switched to promiscuous.

What are notable signs to look for if I suspect someone has hacked my system?

1. Check your logs for any suspicious entries.

2. Check the /etc/passwd and /etc/shadow files for any new entries. Also check the date it was last modified.

3. If you've got tripwire installed, run it. If you don't, get your Linux CD and use md5sum to compare the signatures of the following programs on the CD and on your system: su, ifconfig, ls, ps, ping, passwd, in.telnetd, sshd, login, etc, basically all SUID programs.

4. Check what services you're running and what versions. Go to http://www.securityfocus.com and see if there are any vulnerabilities in any of the services you're using.

How do you check to see which files are running in promiscuous mode?


Dark Ninja

Well usually it's only your network card that's running promiscuous. That being said, use the ifconfig command and it will tell you whether the interface is promiscuous or not.

If you mean which files are causing it to run in promiscuous, it can be hard to tell. The reason being a program doesn't necessarily have to be running to set the interface on promisc. It just needs to run once, set the card promisc, and then exit gracefully. You can manually set the card to promisc too by using the ifconfig command.