Menu
What's new
By:
Filters Better Search

Help Reading Syslogs - Possible Hack - Logs Showing Ports Entering Promiscuous Mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zwitterion

zwitterion

Occasional Visitor
This would be the second time my router (info found below on signature) completely stopped receiving both wireless and wired connections. When looking at the syslog I found ethernet ports being set to Promiscuous Mode and Entered Listening State. When searching online I found "promiscuous mode means a packet sniffer instructed your ethernet device to listen to all traffic. This can be a benign or a malicious act." If this is a bug issue, then I can post this elsewhere as well to help with resolving the matter.
 
Promiscuous mode is what happens when you engage tap/monitoring of the port/packet. I use ntopng and that's how you get the info. Are you using a package in the router for this purpose?
 
Tech Junky said:
Promiscuous mode is what happens when you engage tap/monitoring of the port/packet. I use ntopng and that's how you get the info. Are you using a package in the router for this purpose?
Click to expand...
I don't think so, I just have Diversion, Skynet, and scribe installed. I used to have Kiwi Syslog but that was setup before I moved to Merlin and the configs may have been transferred in the dirty firmware upgrade. I no longer use Kiwi syslog since I have Scribe installed
 
I glanced at the attachment after replying and it looks like an 8 minute boot log. Looks like normal stuff with interfaces coming online. Maybe a hard reset and manual reconfiguration bis needed. It didn't show any obvious app being triggered. Maybe it did a soft reboot to trigger things due to an error?
 
Tech Junky said:
I glanced at the attachment after replying and it looks like an 8 minute boot log. Looks like normal stuff with interfaces coming online. Maybe a hard reset and manual reconfiguration bis needed. It didn't show any obvious app being triggered. Maybe it did a soft reboot to trigger things due to an error?
Click to expand...
Possibly, not sure what causes soft reboots. I am getting regular patterns of these syslogs:

Mar 30 21:12:22 GT-AXE11000-7220 kernel: FPM Pool 1: invalid token 0x205f0000 freed
Mar 30 21:12:22 GT-AXE11000-7220 kernel: FPM Pool 1: ISR timer is enabled. There could be multiple occurrences of the reported issue
Mar 30 22:09:46 GT-AXE11000-7220 kernel: httpds (2617): drop_caches: 1
and one of these:
Mar 30 22:19:44 GT-AXE11000-7220 kernel: htb: too many events!

if it becomes a bigger problem I can wipe everything and install clean firmware
 
Httpds is the web server package for reporting something from an app. I also run pihole for monitoring dns traffic and it's bundled into that for the web GUI. There might be a conflict from the dirty upgrade between the two programs. A surefire way to figure it out would be a netstat to see what's listening / serving web stats from an ssh session.
 
You must log in or register to reply here.

Similar threads

S
[HELP] RT-AX86U has WiFi with spoofed MAC, no Ethernet
Replies
5
Views
3K
sfx2000
sfx2000
V
Hoping for security advice DNSmasq and promiscuous mode
Replies
5
Views
2K
RMerlin
RMerlin
M
ASUS-AC68U Strange Logs - Please Help
Replies
2
Views
4K
ColinTaylor
C
S
RT-AC66U extremely frequent reboots after merlin firmware.
Replies
2
Views
2K
octopus
octopus

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 848 (members: 30, guests: 818)
Top