[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit response

On Tuesday 14 February 2006 02:46, Stephen wrote:
>Hey folks:
>Is this a valid response or false positive ?
>eth0: PACKET SNIFFER(/sbin/dhclient[1102])
I believe thats a valid response unless you were running tcpdump at the 
time it scanned your system.  I'd certainly worry about it, and 
wouldn't rest till I found that puppy.

A normal situation looks like this in the chkrootkit output:

Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets

You may not have the 2nd ethernet card, I'm paranoid and run iptables to 
connect the two, one faces the router and through it the internet via a 
dsl connection, the other faces a switch that the rest of my home 
network uses for a hub.  I've had 3 knocks on the door make it to the 
logs in 3 years, and thats as far as they got since that box also runs 
tcpwrappers and portsentry, which can be pretty vicious guard dogs if 

Some cracker has got to get thru 2 NAT's & a MASQUERADE to make it that 

>Thanks, I'm not subscribed so would appreciate a direct response.
>+++++++++++ Wagner's music is better than it sounds.
>  -- Mark Twain

Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

Reply to: