Re: chkrootkit response
On Tuesday 14 February 2006 02:46, Stephen wrote:
>Hey folks:
>
>Is this a valid response or false positive ?
>
>/etc/cron.daily/chkrootkit:
>eth0: PACKET SNIFFER(/sbin/dhclient[1102])
>
I believe thats a valid response unless you were running tcpdump at the
time it scanned your system. I'd certainly worry about it, and
wouldn't rest till I found that puppy.
A normal situation looks like this in the chkrootkit output:
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets
You may not have the 2nd ethernet card, I'm paranoid and run iptables to
connect the two, one faces the router and through it the internet via a
dsl connection, the other faces a switch that the rest of my home
network uses for a hub. I've had 3 knocks on the door make it to the
logs in 3 years, and thats as far as they got since that box also runs
tcpwrappers and portsentry, which can be pretty vicious guard dogs if
provoked.
Some cracker has got to get thru 2 NAT's & a MASQUERADE to make it that
far.
>Thanks, I'm not subscribed so would appreciate a direct response.
>
>--
>Regards
>Stephen
>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>+++++++++++ Wagner's music is better than it sounds.
> -- Mark Twain
>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>+++++++++++
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
Reply to: