Re: chkrootkit sniffers

2006-08-14 Thread Henri Salo
Lothar Ketterer wrote: Hi, It remains strange because normally, lo is a non-broadcast interface. Maybe it would help to know how Henri has his network configured. Mine is configured with ifupdown, /etc/network/interfaces looks like this: auto lo eth0 iface lo inet loopback iface

Re: chkrootkit sniffers

2006-08-14 Thread Lothar Ketterer
On Mon, Aug 14, 2006 at 11:09:54AM +0300, Henri Salo wrote: Lothar Ketterer wrote: and chkrootkit (version 0.46a) gives me eth0: PF_PACKET(/sbin/dhclient, /usr/sbin/arpwatch) lo is not mentioned. I just checked with chkrootkit version 44-2 (sarge package): Checking `sniffer'... lo: not

Re: chkrootkit sniffers

2006-08-13 Thread Nicolas Haller
On Fri, Aug 11, 2006 at 11:40:24AM +0200, Izak Burger wrote: On 8/11/06, Christian Schuerer [EMAIL PROTECTED] wrote: Isn't it strange that there is an DHCP client running on lo? I don't get the point of doing that. The pid is the same for all three (29184), so it is obviously a process

Re: chkrootkit sniffers

2006-08-13 Thread Christian Schuerer
On Sunday 13 August 2006 23:38, Nicolas Haller wrote: It remains strange because normally, lo is a non-broadcast interface. With version 0.46 it get this result: Checking `sniffer'... lo: not promisc and no packet sniffer sockets lan: PACKET SNIFFER(/sbin/dhclient3[6515]) Maybe it's just

Re: chkrootkit sniffers

2006-08-13 Thread Lothar Ketterer
Hi, It remains strange because normally, lo is a non-broadcast interface. Maybe it would help to know how Henri has his network configured. Mine is configured with ifupdown, /etc/network/interfaces looks like this: auto lo eth0 iface lo inet loopback iface eth0 inet dhcp and chkrootkit

Re: chkrootkit sniffers

2006-08-11 Thread Christian Schuerer
On Thursday 10 August 2006 23:23, Sven Hartge wrote: Um 22:48 Uhr am 10.08.06 schrieb Henri Salo: I am running Debian stable (kernel 2.6.8-2) chkrootkit version 0.44 with command chkrootkit and it gives me: Checking `sniffer'... lo: PACKET SNIFFER(/sbin/dhclient[29148]) eth0: PACKET

Re: chkrootkit sniffers

2006-08-11 Thread Izak Burger
On 8/11/06, Christian Schuerer [EMAIL PROTECTED] wrote: Isn't it strange that there is an DHCP client running on lo? I don't get the point of doing that. The pid is the same for all three (29184), so it is obviously a process that binds to 0.0.0.0, and as a result, ends up listening on lo as

chkrootkit sniffers

2006-08-10 Thread Henri Salo
I am running Debian stable (kernel 2.6.8-2) chkrootkit version 0.44 with command chkrootkit and it gives me: Checking `sniffer'... lo: PACKET SNIFFER(/sbin/dhclient[29148]) eth0: PACKET SNIFFER(/sbin/dhclient[29148], /sbin/dhclient[29307]) eth1: PACKET SNIFFER(/sbin/dhclient[29148]) is that

Re: chkrootkit sniffers

2006-08-10 Thread Sven Hartge
Um 22:48 Uhr am 10.08.06 schrieb Henri Salo: I am running Debian stable (kernel 2.6.8-2) chkrootkit version 0.44 with command chkrootkit and it gives me: Checking `sniffer'... lo: PACKET SNIFFER(/sbin/dhclient[29148]) eth0: PACKET SNIFFER(/sbin/dhclient[29148], /sbin/dhclient[29307]) eth1: