On Wednesday, Jan 21, 2004, at 16:38 America/Denver, David Sanders wrote:
I just ran chkrootkit for the first time on a woody machine and got: Checking `lkm'... You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Checking `sniffer'... PROMISC mode detected in one of these interfaces: eth0 sit0 What are these warnings and what should I do?
Of course you should take any and all warnings seriously until proven otherwise, but I remember seeing that exact warning from a fairly recently built box with a fairly new kernel on it and then doing some Google searching and finding out that most modern kernels will false a few warnings like that LKM Trojan warning because of some setting I don't quite remember right now.
The PROMISC seems straightforward - something has one of your network interfaces in promiscuous mode. You can double-check this with the ifconfig command... most likely it's IDS software or something similar.
If you're not sure why it's saying that, there could be something else going on. Double check the results with system commands, and if you have a reason to believe the box was really compromised, don't trust the system commands. :-)
Catch-22, but you get a feel for it after a while. Especially if you know how chkrootkit behaves on your favorite kernel/distro after a fresh load of software.
-- Nate Duehr, nate@natetech.com