Re: Large, constant incoming traffic
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote:
> On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> > Hm, chkrootkit says that eth0 is not promiscuous... And as I said,
> > I don't think I ever got Snort to work right... :-)
>
> Are you sure that's not a bug in chkrootkit (false negative)?
No idea! :-)
> It seems that chkrookit (since 0.42b-1) fixed this, from the
> changelog: * ifpromisc now parses /proc/net/packet so that it can
> provide better diagnostics. (forwarded patch upstream) (closes:
> #214990)
>
> But you would not see that if you are running stable (no backports)
> and linux 2.4
I'm using a backport of chkrootkit, specifically Norbert's, it says:
chkrootkit version 0.43
But for all I know "better diagnostics" doesn't really imply that it
can't be a false negative...
BTW, the traffic has just seized, so my ISP has apparently been able to
pin it down. I have sent them a message asking what happened, but
haven't got a response.
I really feel like sending the people responsible for this machine an
invoice for two days of consultancy, that's the real cost for me.
People need to realize that damage inflicted on others is also a part
of Windows TCO... At least to see what happens.
Cheers,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
Reply to: