Chkrootkit : ppp0: not promisc and no PF_PACKET sockets
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Chkrootkit : ppp0: not promisc and no PF_PACKET sockets
Greetings,
When I run chkrootkit with my internet connection (ppp0) up, I get the following:
Code:
<snip>
Checking `sniffer'... ppp0: not promisc and no PF_PACKET sockets
<snip>
With the internet connection down, I get the normal output:
Code:
<snip>
Checking `sniffer'... Checking `w55808'... not infected
<snip>
I did a google search, but the only hits I got were not helpful.
Now, this has happened ever since I had installed Azuerus and opened port 6881. I'm using Guarddog firewall, btw, and if I reboot, port 6881 is always stealthed until I open up Guarddog and simply hit the apply button and exit. Then port 6881 will open and can get remote connections/faster speeds.
So, I'm wondering, has my box been compromised? Has a sniffer been installed? If that might be the case, where can I look to check besides /var/log/...? What procedure(s) should I take? I did not install a system integrity prog after installing the os, so other than a complete re-install, is there any other way to find out why I get the "Checking `sniffer'...ppp0: not promisc and no PF_PACKET sockets"? Am I just worrying about nothing?
Nothing unusual shows up in last, lastlog, ps, top, w, who, etc. I haven't seen anything out of the ordinary when my connection is up...only just some light random traffic, which I believe is normal.
The "not promisc and no PF_PACKET sockets" message is normal. The first part of the message is saying "There are no interfaces in promiscuous mode (aka sniffing network traffic)". The second part of the message tells you "no PF_PACKET sockets are listening for traffic". Ok so what's a PF_PACKET socket? A PF_PACKET socket is a special type of networking socket that bypasses the usually tcp/ip networking stack and interacts directly with the network device driver. Most normal applications should use standard PF_INET sockets, so seeing a PF_PACKET socket isn't entirely normal (though certain things like dhcp clients will use them and generate a false alarm). So in this case, the message is telling you that everything is normal and it isn't seeing anything odd.
Not sure about that one. Were you doing something different, like running chkrootkit with networking down or the ppp0 interface not activated? You can probably even test it by running chkrootkit with ppp0 up and then with it down and compare the results.
Originally posted by Capt_Caveman Were you doing something different, like running chkrootkit with networking down or the ppp0 interface not activated?
No, I have always ran chkrootkit with networking up, and ppp0 either up or down, and never have seen the "not promisc and no PF_PACKET sockets" message until just recently after installing Azureus. So, that's where my concern came from. Having always seen the message "Checking `sniffer'... Checking `w55808'... not infected", then seeing another message, had me thinking that someone was sniffing my packets for malicious use.
Quote:
Originally posted by Capt_Caveman You can probably even test it by running chkrootkit with ppp0 up and then with it down and compare the results.
Yes, I have done that, as I mentioned in the first post. I still do get different results. "...not infected" with ppp0 down and "not promisc..." with it up. I guess I'm not understanding why/what the reason the message has changed all of a sudden.
If you are concerned, try running rootkit hunter instead. It has a test for promiscuous interfaces as well.
Also out of my own curiousity, try just running the ifpromisc helper app by itself and see if it still does the same thing. Btw, what linux distro/version are you using and what verision of chkrootkit are you running?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.