On Tuesday 14 February 2006 02:46, Stephen wrote: >Hey folks: > >Is this a valid response or false positive ? > >/etc/cron.daily/chkrootkit: >eth0: PACKET SNIFFER(/sbin/dhclient[1102]) > I believe thats a valid response unless you were running tcpdump at the time it scanned your system. I'd certainly worry about it, and wouldn't rest till I found that puppy.
A normal situation looks like this in the chkrootkit output: Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets eth1: not promisc and no PF_PACKET sockets You may not have the 2nd ethernet card, I'm paranoid and run iptables to connect the two, one faces the router and through it the internet via a dsl connection, the other faces a switch that the rest of my home network uses for a hub. I've had 3 knocks on the door make it to the logs in 3 years, and thats as far as they got since that box also runs tcpwrappers and portsentry, which can be pretty vicious guard dogs if provoked. Some cracker has got to get thru 2 NAT's & a MASQUERADE to make it that far. >Thanks, I'm not subscribed so would appreciate a direct response. > >-- >Regards >Stephen >++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >+++++++++++ Wagner's music is better than it sounds. > -- Mark Twain >++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >+++++++++++ -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]