unaccounted tunl interfaces

unaccounted tunl interfaces

Post by Wally Whacke » Sat, 01 Apr 2000 04:00:00



I have a customer whose ifconfig -a looks like this. This ifconfig
persists across reboots.

I searched everywhere on his system but was unable to find WHERE the
tunl interfaces were being upped. The customer says he has no idea how
they got there. I grepped the entire /etc and subdirectories for tunl
and turned up nothing.

I grepped the /usr/src/linux build directory for tunl. Nothing.

Does anyone know how these interfaces are normally initialized?

This is a redhat 5.2 system with 2.0.36 kernel.

It's creepy because, if this was installed by an intruder it looks
like a great way to bypass a firewall to one machine and thence to an
entire internal network.

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:303 errors:0 dropped:0 overruns:0 frame:0
          TX packets:303 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

tunl0     Link encap:IPIP Tunnel  HWaddr  
          inet addr:0.0.0.0  Mask:0.0.0.0
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

tunl1     Link encap:IPIP Tunnel  HWaddr  
          inet addr:0.0.0.0  Mask:0.0.0.0
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

eth0      Link encap:Ethernet  HWaddr 00:A0:C9:A8:68:1E  
          inet addr:192.168.128.22  Bcast:192.168.128.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3985569 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3965028 errors:0 dropped:0 overruns:0 carrier:0
          collisions:3516
          Interrupt:9 Base address:0xef40

Wally

--
Strangers in your computer? Don't be the last one to find out.
http://www.veryComputer.com/
Security Link of the Hour:
http://www.veryComputer.com/*crime/ http://www.veryComputer.com/

 
 
 

unaccounted tunl interfaces

Post by $kr1p7_k1.. » Sat, 01 Apr 2000 04:00:00


I can't say where they are being upped, but I betcha, for some reason, his
tunelling module is being inserted at startup...  The million dollar
question is: Why?

Is it a dependancy for something else?

I'd ask if it's in /etc/conf.modules, but you said you grepped that tree.


> I have a customer whose ifconfig -a looks like this. This ifconfig
> persists across reboots.
> I searched everywhere on his system but was unable to find WHERE the
> tunl interfaces were being upped. The customer says he has no idea how
> they got there. I grepped the entire /etc and subdirectories for tunl
> and turned up nothing.
> I grepped the /usr/src/linux build directory for tunl. Nothing.
> Does anyone know how these interfaces are normally initialized?
> This is a redhat 5.2 system with 2.0.36 kernel.
> It's creepy because, if this was installed by an intruder it looks
> like a great way to bypass a firewall to one machine and thence to an
> entire internal network.
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
>           UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
>           RX packets:303 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:303 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0
> tunl0     Link encap:IPIP Tunnel  HWaddr  
>           inet addr:0.0.0.0  Mask:0.0.0.0
>           NOARP  MTU:1480  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0
> tunl1     Link encap:IPIP Tunnel  HWaddr  
>           inet addr:0.0.0.0  Mask:0.0.0.0
>           NOARP  MTU:1480  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0
> eth0      Link encap:Ethernet  HWaddr 00:A0:C9:A8:68:1E  
>           inet addr:192.168.128.22  Bcast:192.168.128.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:3985569 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3965028 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:3516
>           Interrupt:9 Base address:0xef40
> Wally
> --
> Strangers in your computer? Don't be the last one to find out.
> http://www.veryComputer.com/
> Security Link of the Hour:
> http://www.veryComputer.com/*crime/ http://www.veryComputer.com/

--
..........................................................................

"We want Linux! We want Linux!  We don't know why, but We Want Linux!!

                                               -The Lemming Mantra

..........................................................................


 
 
 

unaccounted tunl interfaces

Post by elle.. » Sat, 01 Apr 2000 04:00:00



> This is a redhat 5.2 system with 2.0.36 kernel.

Whenever something is screwy with Redhat, it's normally under
/etc/sysconf. Much to my delight, I found there's actually
documentation in /usr/doc/initiscripts- for this as of 6.1 (maybe
earlier)

Quote:> It's creepy because, if this was installed by an intruder it looks
> like a great way to bypass a firewall to one machine and thence to an
> entire internal network.

True, but without any addresses set, I think it's just a typo
somewhere in the above-mentioned demon spawn directory. Redhat's
automated tools excel at adding spurious entries to config files.

--

 
 
 

unaccounted tunl interfaces

Post by Tim Hayne » Mon, 03 Apr 2000 05:00:00



> I can't say where they are being upped, but I betcha, for some reason, his
> tunelling module is being inserted at startup...  The million dollar
> question is: Why?

Custom-built kernel with "Broadcast GRE over IP" enabled?

Quote:> Is it a dependancy for something else?

With the above and "IP: GRE tunnels over IP" set to modular, I get tunl0
interfaces all the time as a result of kernel module dependencies.

Quote:> I'd ask if it's in /etc/conf.modules, but you said you grepped that tree.

Consider

        zsh, spodzone 11:18PM linux # grep GRE .config
        CONFIG_NET_IPGRE=m
        CONFIG_NET_IPGRE_BROADCAST=y
        # CONFIG_NET_SCH_GRED is not set
        # CONFIG_NET_SCH_INGRESS is not set
        zsh, spodzone 11:18PM linux #

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

 
 
 

unaccounted tunl interfaces

Post by Wally Whacke » Tue, 04 Apr 2000 04:00:00




> > I can't say where they are being upped, but I betcha, for some reason, his
> > tunelling module is being inserted at startup...  The million dollar
> > question is: Why?

> Custom-built kernel with "Broadcast GRE over IP" enabled?

> > Is it a dependancy for something else?

> With the above and "IP: GRE tunnels over IP" set to modular, I get tunl0
> interfaces all the time as a result of kernel module dependencies.

> > I'd ask if it's in /etc/conf.modules, but you said you grepped that tree.

> Consider

>    zsh, spodzone 11:18PM linux # grep GRE .config
>    CONFIG_NET_IPGRE=m
>    CONFIG_NET_IPGRE_BROADCAST=y
>    # CONFIG_NET_SCH_GRED is not set
>    # CONFIG_NET_SCH_INGRESS is not set
>    zsh, spodzone 11:18PM linux #

The kernel was built with ip tunnelling but it's not called that in
the kernel config file. The config option is CONFIG_NET_IPIP=y. I
grepped the kernel config file (/usr/src/linux/.config) for "tun",
that's why I didn't find it.

Wally

--
Strangers in your computer? Don't be the last one to find out.
HTTP://HACKERWHACKER.COM
Security Link of the Hour: http://www.antionline.com
http://zdnet.com http://www.antivirus.com/vinfo/default.asp

 
 
 

1. ipip tunl.

I'm trying to set up a simple ipip tunnel between two machines. These
machines are on the same network and only have one NIC each. This isn't
particularily useful, but for now I'm experimenting.

Machine A
tunl0 192.168.0.1 ptp 192.168.0.99
eth0  10.0.0.1 default

Machine B
tunl0 192.168.0.99 ptp 192.168.0.1
eth0  10.0.0.202 default

The problem I get is that whenever I try and ping the far end of the
tunnel, I see an arp request for 3.0.0.0. If I ping 192.168.0.99 from
Machine A, I never see the ping go out on eth0, but instead I see
something like 'arp who has 3.0.0.0, tell 10.0.0.1'. The same thing in
the other direction from Machine B.

Where is 3.0.0.0 coming from? Is this some kind of special address?

I tried manipulating my arp cache to put 3.0.0.0 in but to no avail.
I also tried adding the tunnel endpoints to the arp cache with no
results either.

2. trouble using bw-qcam.o with parport

3. Add a new logical interface on a physical interface with ioctl()

4. blank image name in accounting summary (sa)?

5. Bridging ethernet interface through wlan interface in linux

6. HOW TO SET INSTALL XFree86 3.3.3 ?

7. Sun serial Interface <-> Cisco router serial Interface

8. Socket questions (non-blockin?)

9. LCD/TV Interface - How to program interface?

10. Router dropping packets from eth interface to ppp interface

11. Differences between MS-DOS interface and Unix shell interface

12. Missing manuals? - Character User Interface: Extended Terminal Interface

13. network interface names ethX and renaming interfaces