Section 17.5 Finding Promiscuous Processes

   


17.5 Finding Promiscuous Processes

Although you could disable Promiscuous mode by supplying -promisc to ifconfig via

 
 ifconfig eth0 -promisc 

that would serve to alert the cracker so that he could cover his tracks and vanish. Instead, the following approach is recommended. Once you discover that an Ethernet card (network interface) is in Promiscuous mode, the next matter is to determine who put it in Promiscuous mode and is listening to all network activity. I know of no easy way to determine this, so for the following script the Sherlock Holmes methodology is followed. You will eliminate every process on the system that could not be listening Promiscuously.

The script I created to do this is on the CD-ROM and is called fpromisc (for find Promiscuous mode processes). It works by using Linux's wonderful /proc pseudo-filesystem to analyze each running process on the system and finding all the processes with open sockets and then eliminating the open sockets that are using the TCP, UDP, or UNIX protocols. Any remaining sockets (and therefore remaining processes using them) clearly are using a different protocol that might be raw packet mode. Raw packet mode quite often is used for sniffing.

Note that even if your system has the bug that prevents ifconfig from indicating when an Ethernet card is in Promiscuous mode, fpromisc still will include among its suspicious processes any processes that actually do have an Ethernet card in Promiscuous mode.


These remaining processes could be Promiscuously sniffing the network but may be innocent. Netscape tends to show up as one of those innocent processes and children of netscape, typically viewers like Adobe Acrobat's acroread, also may show up. The fpromisc script then invokes ps on these remaining processes. Further, it lists the full pathname for the executable program associated with each process. By running fpromisc when the system is normal (ifconfig eth0 does not show Promiscuous mode), you can learn what innocent programs will turn up. It is suggested that you store fpromisc's output on disk and print it out too. Certainly, tcpdump shows up like a beacon but a smart cracker will have renamed it, possibly even to netscape. The pathname does not lie, however.

If you are running a pre-2.2 kernel (prior to Red Hat 6.1 or Mandrake 6.1 or Slackware 7), then instead of the pathname it will list the inode number. If this is the case, the script will provide an example for using the find command to find the pathname associated with this inode. Understand that this exhaustive search of the disk, necessary only under pre-2.2 kernels, will be required to determine the pathname and several minutes may be required. Because inode numbers are unique only within a given file system, the find command may list several files.

To determine the correct file, note the major and minor device numbers that fpromisc listed, probably major:03 minor:01 if your root file system is on /dev/hda1, or major:08 minor:01 if it is on /dev/sda1. In this case, the correct file is the one in the root file system, for example, the one whose first pathname component is not that of a mounted file system. Note that this worrying about the inode number and device is required only if you are running an ancient pre-2.2 kernel.

See "Finding the Cracker's Running Processes" on page 672 and "Handling Running Cracker Processes" on page 673 for details on what to do next. You do want to attempt to gather data on the running processes before shutting the system down and running a known good version of Linux to start the recovery process.


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net