[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Fri, Oct 07, 2005 at 09:30:15PM +0100, Grant Sewell wrote: > On Thu, 6 Oct 2005 21:10:08 +0100 > Henry Bremridge wrote: > > > I installed chkrootkit (debian sarge) and the first night I received the > > following email: > > > > ----- Forwarded message from Cron Daemon <root@newdebian> ----- > > > > Subject: Cron <root@newdebian> test -x /usr/sbin/anacron || run-parts --report > > /etc/cron.daily > > Date: Tue, 04 Oct 2005 06:25:30 +0100 > > > > /etc/cron.daily/chkrootkit: > > eth0: PACKET SNIFFER(/sbin/dhclient[2834]) > > > > ----- End forwarded message ----- > > > > > > I have just checked this out on google and the only message I got was > > versions of the following: "dhclient does set some socket options which > > chkrootkit might detect as sniffing. Basically, dhclient needs to accept > > any traffic, because it runs before the interface has an IP. That's my > > guess, at least, sorry for the non-confidence inspiring lack of > > technical details." > > > > Can anyone comment? > > > > Many thanks > > Don't know much about root-kits or chkrootkit either for that matter, but the > above sounds semi plausible. A dhcp client does need to accept traffic from > anywhere due to the broadcast nature of the dhcp offer/acknowledge/accept process, > but IIRC all dhcp communications occur on specific port numbers for both the > sending and receiving on both server and client (unlike ordinary traffic which > only uses specific port numbers for the server side), so I am not certain as to > the above statement's technical validity. > > Or I could be wrong. > > Grant. Still not sure about the dhclient but have checked the system with http://www.inside-security.de/insert_en.html and all was negitive >
Attachment:
signature.asc
Description: Digital signature