[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] chkrootkit output, what does it mean?
- Subject: Re: [cobalt-security] chkrootkit output, what does it mean?
- From: "Mez" <mez@xxxxxxx>
- Date: Fri, 15 Mar 2002 12:29:52 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Come to think of it I did install a program recently called IPFM to monitor
all IN and OUT traffic on each IP I have on my machine.
Its currently not running, but I have had it running, so could this have
effected sometime to make chkrootkit shot the eth0 etc as promisc?
Other than that I have snmpd and portsentry running on the server - but they
have always been running and never had this output before
thanks
-John
----- Original Message -----
From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, March 15, 2002 11:21 AM
Subject: Re: [cobalt-security] chkrootkit output, what does it mean?
> Hi Mez,
>
> > My chkrootkit log this morning is showing:
> >
> > Checking `sniffer'...
> > eth0 is PROMISC
> > eth0:0 is PROMISC
> > eth0:2 is PROMISC
> > eth0:3 is PROMISC
> > eth0:4 is PROMISC
> > eth0:5 is PROMISC
> > eth0:1 is PROMISC
> >
> > Is this anything to worry about? Or can anyone tell me what it means?
>
> That normally indicates that a network sniffer is active on your machine
and
> is monitoring the network traffic. Unless you manually launched "tcpdump"
or
> a similar shell command to diagnose your network traffic this is indeed
> something to worry about. Did chkrootkit warn you about any modified
binaries?
>
> --
>
> With best regards,
>
> Michael Stauber
> mstauber@xxxxxxxxxxxxxx
> Unix/Linux Support Engineer
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>