[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] chkrootkit output, what does it mean?
- Subject: Re: [cobalt-security] chkrootkit output, what does it mean?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Fri, 15 Mar 2002 14:05:11 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Mez,
> Come to think of it I did install a program recently called IPFM to monitor
> all IN and OUT traffic on each IP I have on my machine.
Well, there you are. Monitoring of traffic can be done by parsing logfiles
(what Webalizer does for webtraffic), through SNMP or by sniffing the traffic
while it takes place. I'm not sure what mechanisms IPFM uses, but it could be
that it's triggering the positive promiscuous test.
> Its currently not running, but I have had it running, so could this have
> effected sometime to make chkrootkit shot the eth0 etc as promisc?
Yes. Sometimes the network cards remain in promiscuous mode even after the
application that switched 'em to that mode have ended.
Example: running "tcpdump -i eth0 -n" for instance will start a console based
network sniffer. Interrupt it by pressing CTRL+C, wait a moment and then
start chkrootkit. It will report that the network card is still in
promiscuous mode, even though tcpdump has already been stopped.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer