Doesn't sound like anything serious to me, but it is odd behavior. (I could
easily be wrong.) I would check a forum that centers around your distro and
just ask if anyone had seen that behavior before. Perhaps reset your
cable/DSL modem as well. It may be that it just got screwed up someone WRT
dhcp service. (stabbing in the dark now...) The only other thing I can think
of to try is look over your dhcpcd and net.eth0 config files for anything
weird.

(Why I actually replied...) I run nmap as you do now, but add '-p 1-' so it
will scan all ports from 1-65536, which should let you see any listening
service. I run this on each of my boxes inside periodically too. I'll also
run UDP, FIN, Xmas, and Null scans periodically, just for kicks. And nessus
to check that what is there is (more or less) up to date. I'm not worried
about my boxes so much, but when friends bring stuff over, I have no way of
knowing what they might be bringing with them.

Incidentally, nmap 3.50 was released today.

> -----Original Message-----
> From: tclug-list-bounces at mn-linux.org 
> [mailto:tclug-list-bounces at mn-linux.org] On Behalf Of Erick Stohr
> Sent: Thursday, January 22, 2004 14:57
> To: TCLUG Mailing List
> Subject: [TCLUG] eth0 promisc
> 
> 
> Hello,
> 
> My eth0 (the external interface) on my firewall machine was down this 
> morning, and when brought back up via dhcpd it got turned 
> onto promisc, 
> which I know sniffs packets, and that is about all I know, so 
> I shut it 
> down right away.
> 
> I ran chkrootkit version 0.43 after I discovered eth0 was down and 
> brought back up and nothing came up infected, except the eth0 was 
> promisc when it was using dchpd, so I just gave it a static 
> and it is no 
> longer on promisc, is this sufficent? I would assume 
> something is wrong 
> with my rules on my firewall becuase I assume someone got in and 
> manipulated the dhcpd script or is there another way to get it to be 
> promisc?
> 
> I checked root's .bash_history and it was still in tact with 
> all of MY 
> commands, but in /var/log/messages it says something like:
> 
> "trying to punch ~MY ISP's DNS SERVER~ through firewall"
> 
> I am running an old version of RH 7.1 as a firewall using ipchains 
> behind a Linksys Wireless router. My boxes behind the 
> firewall also seem 
> fine, nothing is promisc and chkrootkit runs cleanly.
> 
> I thought my firewall was decent, I run nmap against both interfaces, 
> eth0 (external) and eth1 (internal) and it always has shown 
> no ports at 
> all are open, running:
> 
> nmap -sS -v -O
> 
> Any help/suggestions, like maybe if I should "get that box off the 
> network", would be helpful. Thank you in advance.
> 
> Erick
> 
> 
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota 
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list