[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Large, constant incoming traffic

On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote:
> On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> > Hm, chkrootkit says that eth0 is not promiscuous... And as I said,
> > I don't think I ever got Snort to work right... :-)
> Are you sure that's not a bug in chkrootkit (false negative)? 

No idea! :-) 

> It seems that chkrookit (since 0.42b-1) fixed this, from the
> changelog: * ifpromisc now parses /proc/net/packet so that it can
> provide better diagnostics. (forwarded patch upstream) (closes:
> #214990)
> But you would not see that if you are running stable (no backports)
> and linux 2.4

I'm using a backport of chkrootkit, specifically Norbert's, it says:
chkrootkit version 0.43

But for all I know "better diagnostics" doesn't really imply that it 
can't be a false negative... 

BTW, the traffic has just seized, so my ISP has apparently been able to 
pin it down. I have sent them a message asking what happened, but 
haven't got a response.

I really feel like sending the people responsible for this machine an 
invoice for two days of consultancy, that's the real cost for me. 
People need to realize that damage inflicted on others is also a part 
of Windows TCO... At least to see what happens. 


Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC

Reply to: