DeadBeefCafe

This is a story about a box. The box was at work. This is a linux box. The box had 2 IPs. This was causing some problems with something non-essential, like backups. The box was then changed to have 1 IP. Time passes and someone decides to try to use the old IP only to discover that something is still using it. That something turns out to be a box. Thus begins a story about a box.

Being curious, I took a look at the box. Everyone knows ifconfig, it’s great, it tells you all the interface settings for a box. Except, well, the IP that the box is responding to isn’t on the list. netstat also doesn’t know about the IP. Hmmm, curiouser and curiouser.

Restart the network of the box (always lots of fun to do remotely) to see if the mysterious IP address goes away, still there. Reboot the machine, the IP is still there. I know I removed that IP from this machine!

Restart the network again and watch what it says… “Bringing up interface eth0…” “Bringing up interface eth0-old…”. That’s a little odd, but I remember that I renamed the file for the old settings, Just In Case ™. Maybe that wasn’t such a hot idea? But if I have a config file that invokes the same interface as before (eth0), should it quietly create a ghost IP address and let people use it?

As a little test I set up an sshd config that specifically listened on an odd port at this ghost IP address and was able to connect to it! And once the port was added to the firewall rules, I could talk to it remotely as well. So the machine is using this IP, but why would it when ifconfig still reports that only one IP is in use which is the one it is supposed to be using, and ifconfig doesn’t report any additional IPs on any interfaces.

And then I found it, the ‘new and improved’ way of adding IPs to a linux machine: ip addr . If you add additional IPs using ip addr, ifconfig will never display the information about the additional IPs.

So as a test, after the machine has booted, I try ‘ip addr 10.2.3.45 dev eth0′ and then look at ifconfig. I would expect that this would show a secondary address to eth0 in ifconfig. Nope, all I see is the original IP of the machine. ‘ip addr’ on the other hand does show me both IP addresses now residing on the interface. Fortunately, ip addr will delete the address, though attempting to delete the additional address with ifconfig appears to do bad things in some situations (1 of the 2 machines I tested this on it appears to have turned off the interface entirely, oops).

I wonder how useful this could be if you wanted to set up some backdoors on a system, but didn’t want anyone to know they exist? I mean, who would think to remotely scan the wrong IP of a machine to see what was listening on it?

(Discovered on RHEL AS 4.0 and further tested on FC4, kernel 2.6.14 and FC5 2.6.17 .)

Update: Fixed a couple grammar items, and confirmed the issue still exists: FC8 kernel 2.6.23.15-137