[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, 6 Oct 2005 21:10:08 +0100 Henry Bremridge wrote: > I installed chkrootkit (debian sarge) and the first night I received the > following email: > > ----- Forwarded message from Cron Daemon <root@newdebian> ----- > > Subject: Cron <root@newdebian> test -x /usr/sbin/anacron || run-parts --report > /etc/cron.daily > Date: Tue, 04 Oct 2005 06:25:30 +0100 > > /etc/cron.daily/chkrootkit: > eth0: PACKET SNIFFER(/sbin/dhclient[2834]) > > ----- End forwarded message ----- > > > I have just checked this out on google and the only message I got was > versions of the following: "dhclient does set some socket options which > chkrootkit might detect as sniffing. Basically, dhclient needs to accept > any traffic, because it runs before the interface has an IP. That's my > guess, at least, sorry for the non-confidence inspiring lack of > technical details." > > Can anyone comment? > > Many thanks Don't know much about root-kits or chkrootkit either for that matter, but the above sounds semi plausible. A dhcp client does need to accept traffic from anywhere due to the broadcast nature of the dhcp offer/acknowledge/accept process, but IIRC all dhcp communications occur on specific port numbers for both the sending and receiving on both server and client (unlike ordinary traffic which only uses specific port numbers for the server side), so I am not certain as to the above statement's technical validity. Or I could be wrong. Grant. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html