Hi Mez, > Come to think of it I did install a program recently called IPFM to monitor > all IN and OUT traffic on each IP I have on my machine.
Well, there you are. Monitoring of traffic can be done by parsing logfiles (what Webalizer does for webtraffic), through SNMP or by sniffing the traffic while it takes place. I'm not sure what mechanisms IPFM uses, but it could be that it's triggering the positive promiscuous test. > Its currently not running, but I have had it running, so could this have > effected sometime to make chkrootkit shot the eth0 etc as promisc? Yes. Sometimes the network cards remain in promiscuous mode even after the application that switched 'em to that mode have ended. Example: running "tcpdump -i eth0 -n" for instance will start a console based network sniffer. Interrupt it by pressing CTRL+C, wait a moment and then start chkrootkit. It will report that the network card is still in promiscuous mode, even though tcpdump has already been stopped. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
