View Full Version : Chkrootkit alert ??
27th December 2004, 09:58 PM
Ran chkrootkit and got this response -
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
I did a google, and it doesn't sound bad.
But I figure I might be missing something and I'm sure youall know more. I
Anything to worry about??
ps: I ran this many time before without it finding anything, so this is new this weekend
Thanks for thew help
28th December 2004, 02:43 AM
I believe this is the DHCP client service on your computer looking for/checking the DHCP server on your network. It was right in the middle of it when you ran the scan. If you've assigned a static IP on your machine you can just disable the service and it will eliminate un-necessary traffic on your network. Nothing to worry about.
28th December 2004, 03:13 AM
as above - probably dhclient was recognized as some kind of attack...try to run the scan again and verify dhclient is not modified (the master image is what you get on CD/in official signed packages). probably it is false positive alert. systems like chkrootkit work on assumption bassis, they just match some criteria to some factual basis and try to assume real state... it is not always accurate.
IMHO chkrootkit is not a good tool to relay on (but it can alert you when something happens, but it is too easy to trick). when you want something like this use tripwire, it is an accurate system, when something is detected it is not an assumption but a fact.
just keep in mind that you can have two sorts of such tools - like snort or chkrootkit - this checks if something is similar (note that there is place for mistake here), and something like tripwire which is 100% accurate, tripwire checks for file modification (probably unwanted - if you don't know that file was modified you probably don't need this modification :)) - and does report if it happens.
28th December 2004, 03:32 AM
...they just match some criteria to some factual basis and try to assume real state... it is not always accurate.
I love your analogy!
28th December 2004, 03:53 AM
sorry it is probably due to my poor english. I've meant that chkrootkit has a database of criterias that look like an attack, then it has facts (how the system looks in time of checking) and upon these data (attaks finerprints, actual look of system) it tries to assume if system was compromised or not... it like tries to give you an answer to question "I am safe or not?" - and that is fault, there is no answer to this question. program can answet to question/query like - "Check my system files for modification. Is something modified till when I've last checked?" - you have a simple yes/no answer here.
probably the first thing to computer security is understanding how things work. if you don't have a clue how something work you can't state that it is safe or not... no gizmo telling "you are secure" or "no you don't" is accurate here.
28th December 2004, 05:14 AM
No, no... I understood perfectly what you meant from your first post! I just liked the way you said it. :cool:
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.