Re: chkrootkit response

2006-02-14 Thread Stephen 
On Tue, Feb 14, 2006 at 11:27:27PM +1100 or thereabouts, Paul Dwerryhouse wrote:
> On Tue, Feb 14, 2006 at 02:46:48AM -0500, Stephen wrote:
> > Is this a valid response or false positive ?
> > 
> > /etc/cron.daily/chkrootkit:
> > eth0: PACKET SNIFFER(/sbin/dhclient[1102])
> 
> False positive; it's because that program has your ethernet interface in
> promiscuous mode. For dhclient, this is completely normal, it needs to
> do this to function correctly.

Thanks Paul.

-- 
Regards
Stephen
+
Familiarity breeds contempt -- and children.
-- Mark Twain
+


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit response (OT)

2006-02-14 Thread Gene Heskett 
On Tuesday 14 February 2006 14:58, Brad Sawatzky wrote:
>On Tue, 14 Feb 2006, Gene Heskett wrote:
>> On Tuesday 14 February 2006 07:27, Paul Dwerryhouse wrote:
>> >On Tue, Feb 14, 2006 at 02:46:48AM -0500, Stephen wrote:
>> >> Is this a valid response or false positive ?
>> >>
>> >> /etc/cron.daily/chkrootkit:
>> >> eth0: PACKET SNIFFER(/sbin/dhclient[1102])
>> >
>> >False positive; it's because that program has your ethernet
>> > interface in promiscuous mode. For dhclient, this is completely
>> > normal, it needs to do this to function correctly.
>>
>> The machine I got that sample response from in the last post,
>> doesn't have a utility named dhclient on it, so I cannot confirm
>> that this is correct.  It probably is though.
>>
>> Friggin vz blocks port 80 so we can't run our own web pages.  And
>> they are the only game in town...:(
>
>FYI, try DynDNS's WebHop
>  to get around
> ISP's brain-damaged port blocks.  It's free and it works great!
>
Thanks Brad, I wasn't aware of that.  I'll have to see what I can rig 
up.

>-- Brad

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit response (OT)

2006-02-14 Thread Brad Sawatzky 
On Tue, 14 Feb 2006, Gene Heskett wrote:

> On Tuesday 14 February 2006 07:27, Paul Dwerryhouse wrote:
> >On Tue, Feb 14, 2006 at 02:46:48AM -0500, Stephen wrote:
> >> Is this a valid response or false positive ?
> >>
> >> /etc/cron.daily/chkrootkit:
> >> eth0: PACKET SNIFFER(/sbin/dhclient[1102])
> >
> >False positive; it's because that program has your ethernet interface
> > in promiscuous mode. For dhclient, this is completely normal, it
> > needs to do this to function correctly.
> 
> The machine I got that sample response from in the last post, doesn't 
> have a utility named dhclient on it, so I cannot confirm that this is 
> correct.  It probably is though.
> 
> Friggin vz blocks port 80 so we can't run our own web pages.  And they 
> are the only game in town...:(

FYI, try DynDNS's WebHop  
to get around ISP's brain-damaged port blocks.  It's free and it works
great!

-- Brad


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit response

2006-02-14 Thread Gene Heskett 
On Tuesday 14 February 2006 07:27, Paul Dwerryhouse wrote:
>On Tue, Feb 14, 2006 at 02:46:48AM -0500, Stephen wrote:
>> Is this a valid response or false positive ?
>>
>> /etc/cron.daily/chkrootkit:
>> eth0: PACKET SNIFFER(/sbin/dhclient[1102])
>
>False positive; it's because that program has your ethernet interface
> in promiscuous mode. For dhclient, this is completely normal, it
> needs to do this to function correctly.

The machine I got that sample response from in the last post, doesn't 
have a utility named dhclient on it, so I cannot confirm that this is 
correct.  It probably is though.

Friggin vz blocks port 80 so we can't run our own web pages.  And they 
are the only game in town...:(

>Cheers,
>
>Paul
>
>--
>Paul Dwerryhouse| PGP Key ID: 0x6B91B584
>==
>== Installing Debian Sarge with software RAID:
>http://nepotismia.com/debian/raidinstall/

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit response

2006-02-14 Thread Gene Heskett 
On Tuesday 14 February 2006 02:46, Stephen wrote:
>Hey folks:
>
>Is this a valid response or false positive ?
>
>/etc/cron.daily/chkrootkit:
>eth0: PACKET SNIFFER(/sbin/dhclient[1102])
>
I believe thats a valid response unless you were running tcpdump at the 
time it scanned your system.  I'd certainly worry about it, and 
wouldn't rest till I found that puppy.

A normal situation looks like this in the chkrootkit output:

Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets

You may not have the 2nd ethernet card, I'm paranoid and run iptables to 
connect the two, one faces the router and through it the internet via a 
dsl connection, the other faces a switch that the rest of my home 
network uses for a hub.  I've had 3 knocks on the door make it to the 
logs in 3 years, and thats as far as they got since that box also runs 
tcpwrappers and portsentry, which can be pretty vicious guard dogs if 
provoked.

Some cracker has got to get thru 2 NAT's & a MASQUERADE to make it that 
far.

>Thanks, I'm not subscribed so would appreciate a direct response.
>
>--
>Regards
>Stephen
>++
>+++ Wagner's music is better than it sounds.
>  -- Mark Twain
>++
>+++

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit response

2006-02-14 Thread Paul Dwerryhouse 
On Tue, Feb 14, 2006 at 02:46:48AM -0500, Stephen wrote:
> Is this a valid response or false positive ?
> 
> /etc/cron.daily/chkrootkit:
> eth0: PACKET SNIFFER(/sbin/dhclient[1102])

False positive; it's because that program has your ethernet interface in
promiscuous mode. For dhclient, this is completely normal, it needs to
do this to function correctly.

Cheers,

Paul

-- 
Paul Dwerryhouse| PGP Key ID: 0x6B91B584

Installing Debian Sarge with software RAID:
http://nepotismia.com/debian/raidinstall/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

chkrootkit response

2006-02-14 Thread Stephen 
Hey folks:

Is this a valid response or false positive ?

/etc/cron.daily/chkrootkit:
eth0: PACKET SNIFFER(/sbin/dhclient[1102])


Thanks, I'm not subscribed so would appreciate a direct response.

-- 
Regards
Stephen
+
Wagner's music is better than it sounds.
-- Mark Twain
+


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]