Hi, and thanks a lot. > That is default behaviour, it's just the port may change.
That's good to read. From hours of searching I had come to the conclusion that it was not a problem, but I had also often read that rootkits may work by substituting modified binaries for standard ones. So I wondered whether in this case it was doing what it was supposed to do, or whether it might have been doing something unexpected---and that was where I thought it best to ask sombody that would be expert enough to know the difference (I wouldn't be expert enough to tell). So thanks. > >while chkrootkit is still reporting: > We don't support it (it's not our handiwork Of course. Sorry. > plus Chkrootkit 0.49 > was released in 2009 and never modified afterwards) Indeed. Maybe I should just stop using it and rely strictly on rkhunter. Anyway thanks. Very best to all, Sam On Thu, Aug 22, 2013, at 8:47, unsp...@hushmail.com wrote: > On Wed, 21 Aug 2013 21:24:16 +0200 "Sam Ashley" > <samash...@mailnew.com> wrote: > >rkhunter now (after I installed unhide-tcp) reports: > (..) > >[21:08:56] Process: /sbin/dhclient PID: 3044 File: > /sbin/dhclient > >[21:09:29] Info: Starting test name 'packet_cap_apps' > >[21:09:29] Checking for packet capturing applications [ > Warning ] > >[21:09:29] Warning: Process '/sbin/dhclient' (PID 3044) is > listening on the network. > > That is default behaviour, it's just the port may change. Check > which package the binary belongs to, verify its integrity and white > list the process if you want to but also ensure it's subject to > another test like checking hashes. > > > >while chkrootkit is still reporting: > >Checking `bindshell'... INFECTED (PORTS: 4000) > >... > >eth1: PACKET SNIFFER(/sbin/dhclient[3044]) > > We don't support it (it's not our handiwork plus Chkrootkit 0.49 > was released in 2009 and never modified afterwards) but here's a > way to make it use white listing (preferably only after verifying > integrity): https://www.linuxquestions.org/questions/blog/unspawn- > 2450/chkrootkit-0-49-modifications-and-notes-2531/. YMMV(VM). > > > unSpawn > --- > -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow -- http://www.fastmail.fm - mmm... Fastmail... ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
