Chkrootkit message

I have just run chkrootkit, and the following was the only result other than
a plain "yes/no" (all were "no".) What is it saying? I have an ADSL
connection via eth0, but no other computers.

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

TIA,

Doug.
--
ICQ Number 178748389. Registered Linux User No. 277548.
Life is a great big canvas, and you should throw all the paint on it you
can.
- Danny Kaye.

On Thu, 03 Mar 2005 15:48:42 +1100, Doug Laidlaw wrote:
> I have just run chkrootkit, and the following was the only result other than
> a plain "yes/no" (all were "no".) What is it saying? I have an ADSL
> connection via eth0, but no other computers.
>
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

Indicates your DHCP client (dhclient) has eth0 open in the PF_PACKET
mode.

Funny that I do not have that in my Mandrakelinux 10.1 log because I
am using the same client.

The PF_PACKET protocol indicates any packet sent through the socket
will be directly passed to the Ethernet interface, and any packet
received through the interface will be directly passed to the
application.

Bit Twister wrote:

> On Thu, 03 Mar 2005 15:48:42 +1100, Doug Laidlaw wrote:
>> I have just run chkrootkit, and the following was the only result other
>> than
>> a plain "yes/no" (all were "no".) What is it saying? I have an ADSL
>> connection via eth0, but no other computers.
>>
>> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
>
> Indicates your DHCP client (dhclient) has eth0 open in the PF_PACKET
> mode.
>
> Funny that I do not have that in my Mandrakelinux 10.1 log because I
> am using the same client.
>
> The PF_PACKET protocol indicates any packet sent through the socket
> will be directly passed to the Ethernet interface, and any packet
> received through the interface will be directly passed to the
> application.

Thanks BT. It sounds bad, as if it is "as broad as a barn door" to any
hacker, but security is probably dependent on the firewall. I don't have a
networked computer, if this makes any difference. What logfile should it
appear in?

Doug.
--
ICQ Number 178748389. Registered Linux User No. 277548.
Happiness is nothing more than good health and a bad memory.
- Albert Schweitzer.

On Thu, 03 Mar 2005 19:26:46 +1100, Doug Laidlaw wrote:
>
> Thanks BT. It sounds bad, as if it is "as broad as a barn door" to any
> hacker, but security is probably dependent on the firewall.

No, firewall is just first line of defense.

> I don't have a networked computer,

That is a little hard to believe, for dhclient to get a dhcp lease
from a dhcp server, it would have to be _networked_ .

> if this makes any difference.


> What logfile should it appear in?

Please read http://www.catb.org/~esr/faqs/smart-questions.html
Over 190+ linuxes and it might depend on how you installed chkrootkit
or where you have set log names.


You realy need to click up a termial
su -l root
cd /var/log
and start looking around for starters. :)

Of course there is the grep command. 8-)

Not to mention locate chkrootkit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just for the record, I'm running MDK 10.0 and chkrootkit shows the same
message
eth0: PF_PACKET(/sbin/dhclient)

What pratical consequences can arise from this?


Luis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCJ7AhHn4UHCY8rB8RAlWmAKCRhDiSK+S8+jTQmtSFqE nZwCIxmwCgpdlw
bEyrDp09tkSSgJyGf5613sw=
=qTMb
-----END PGP SIGNATURE-----