On Wed, 21 Aug 2013 21:24:16 +0200 "Sam Ashley" <samash...@mailnew.com> wrote: >rkhunter now (after I installed unhide-tcp) reports: (..) >[21:08:56] Process: /sbin/dhclient PID: 3044 File: /sbin/dhclient >[21:09:29] Info: Starting test name 'packet_cap_apps' >[21:09:29] Checking for packet capturing applications [ Warning ] >[21:09:29] Warning: Process '/sbin/dhclient' (PID 3044) is listening on the network.
That is default behaviour, it's just the port may change. Check which package the binary belongs to, verify its integrity and white list the process if you want to but also ensure it's subject to another test like checking hashes. >while chkrootkit is still reporting: >Checking `bindshell'... INFECTED (PORTS: 4000) >... >eth1: PACKET SNIFFER(/sbin/dhclient[3044]) We don't support it (it's not our handiwork plus Chkrootkit 0.49 was released in 2009 and never modified afterwards) but here's a way to make it use white listing (preferably only after verifying integrity): https://www.linuxquestions.org/questions/blog/unspawn- 2450/chkrootkit-0-49-modifications-and-notes-2531/. YMMV(VM). unSpawn --- ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
