weird interface !

mag-datacom@xxxxxxxxxxxx (GIlles Lévesque) · 05 Nov 2002 14:55:12 -0500

--=-mlJj2IWsjOrmX+VVaPAW
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This  is the TUN/TAP device take a look into your kernel configurations
into Networkiing options
(IP: tunneling).
you can check out :
http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html

>hello
>i'm running a redhat machine and while checking
>[root@localhost root]# ifconfig -a
>lo        Link encap:Local Loopback
>          LOOPBACK  MTU:16436  Metric:1
>          RX packets:316 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:316 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:15800 (15.4 Kb)  TX bytes:15800 (15.4 Kb)
>
>ppp0      Link encap:Point-to-Point Protocol
>          inet addr:62.135.14.214  P-t-P:172.17.9.205=20
Mask:255.255.255.255
>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1524  Metric:1
>          RX packets:1739 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:1942 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:3
>          RX bytes:528941 (516.5 Kb)  TX bytes:178970 (174.7 Kb)
>
>tunl0     Link encap:IPIP Tunnel  HWaddr
>          NOARP  MTU:1480  Metric:1
>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
>[root@localhost root]#
>
>i see tunl0 and i dont know who made it and why is it there its always
0.0 b=20
>and its always there even if ppp0 isnt up , so i'd like to investigate
this=20
>, is my machine compromised or a software made it , please help me with
it .
>
>i though of running iptables to listen to what passes there .
>any ideas ?
>thanks in advance
>
>
>_________________________________________________________________
>Surf the Web without missing calls! Get MSN Broadband.=20
>http://resourcecenter.msn.com/access/plans/freeactivation.asp

Gilles L=C3=A9vesque, RHCE
M.A.G. Datacom
373, rue T=C3=A9miscouata
Rivi=C3=A8re-du-Loup (Qu=C3=A9bec)
G5R 2Y9
T=C3=A9l=C3=A9phone : (418) 867-8656
T=C3=A9l=C3=A9copieur : (418) 867-3870

--=-mlJj2IWsjOrmX+VVaPAW
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
 <META NAME="GENERATOR" CONTENT="GtkHTML/1.0.4">
</HEAD>
<BODY>
This&nbsp; is the TUN/TAP device take a look into your kernel configurations into Networkiing options
 
(IP: tunneling).
 
you can check out : <A HREF="http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html";>http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html</A>

<BR>

<BR>

&gt;hello
 
&gt;i'm running a redhat machine and while checking
 
&gt;[root@localhost root]# ifconfig -a
 
&gt;lo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Link encap:Local Loopback
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOOPBACK&nbsp; MTU:16436&nbsp; Metric:1
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RX packets:316 errors:0 dropped:0 overruns:0 frame:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TX packets:316 errors:0 dropped:0 overruns:0 carrier:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; collisions:0 txqueuelen:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:15800 (15.4 Kb)&nbsp; TX bytes:15800 (15.4 Kb)
 
&gt;
 
&gt;ppp0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Link encap:Point-to-Point Protocol
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inet addr:62.135.14.214&nbsp; P-t-P:172.17.9.205&nbsp; Mask:255.255.255.255
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UP POINTOPOINT RUNNING NOARP MULTICAST&nbsp; MTU:1524&nbsp; Metric:1
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RX packets:1739 errors:0 dropped:0 overruns:0 frame:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TX packets:1942 errors:0 dropped:0 overruns:0 carrier:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; collisions:0 txqueuelen:3
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:528941 (516.5 Kb)&nbsp; TX bytes:178970 (174.7 Kb)
 
&gt;
 
&gt;tunl0&nbsp;&nbsp;&nbsp;&nbsp; Link encap:IPIP Tunnel&nbsp; HWaddr
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOARP&nbsp; MTU:1480&nbsp; Metric:1
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; collisions:0 txqueuelen:0
 
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:0 (0.0 b)&nbsp; TX bytes:0 (0.0 b)
 
&gt;
 
&gt;[root@localhost root]#
 
&gt;
 
&gt;i see tunl0 and i dont know who made it and why is it there its always 0.0 b 
 
&gt;and its always there even if ppp0 isnt up , so i'd like to investigate this 
 
&gt;, is my machine compromised or a software made it , please help me with it .
 
&gt;
 
&gt;i though of running iptables to listen to what passes there .
 
&gt;any ideas ?
 
&gt;thanks in advance
 
&gt;
 
&gt;
 
&gt;_________________________________________________________________
 
&gt;Surf the Web without missing calls! Get MSN Broadband. 
 
&gt;<A HREF="http://resourcecenter.msn.com/access/plans/freeactivation.asp";>http://resourcecenter.msn.com/access/plans/freeactivation.asp</A>

<BR>

<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<FONT SIZE="3"><B>Gilles L&#233;vesque, RHCE</FONT></B>
<BR>
<FONT SIZE="3"><B>M.A.G. Datacom</FONT></B>
<BR>
373, rue T&#233;miscouata
<BR>
Rivi&#232;re-du-Loup (Qu&#233;bec)
<BR>
G5R 2Y9
<BR>
<FONT SIZE="2">T&#233;l&#233;phone : (418) 867-8656</FONT>
<BR>
<FONT SIZE="2">T&#233;l&#233;copieur : (418) 867-3870</FONT>
<BR>

</TD>
</TR>
</TABLE>

</BODY>
</HTML>

--=-mlJj2IWsjOrmX+VVaPAW--