Greetings,

When I run chkrootkit with my internet connection (ppp0) up, I get the following:
With the internet connection down, I get the normal output:

I did a google search, but the only hits I got were not helpful.

Now, this has happened ever since I had installed Azuerus and opened port 6881. I'm using Guarddog firewall, btw, and if I reboot, port 6881 is always stealthed until I open up Guarddog and simply hit the apply button and exit. Then port 6881 will open and can get remote connections/faster speeds.

So, I'm wondering, has my box been compromised? Has a sniffer been installed? If that might be the case, where can I look to check besides /var/log/...? What procedure(s) should I take? I did not install a system integrity prog after installing the os, so other than a complete re-install, is there any other way to find out why I get the "Checking `sniffer'...ppp0: not promisc and no PF_PACKET sockets"? Am I just worrying about nothing?

Nothing unusual shows up in last, lastlog, ps, top, w, who, etc. I haven't seen anything out of the ordinary when my connection is up...only just some light random traffic, which I believe is normal.

The "not promisc and no PF_PACKET sockets" message is normal. The first part of the message is saying "There are no interfaces in promiscuous mode (aka sniffing network traffic)". The second part of the message tells you "no PF_PACKET sockets are listening for traffic". Ok so what's a PF_PACKET socket? A PF_PACKET socket is a special type of networking socket that bypasses the usually tcp/ip networking stack and interacts directly with the network device driver. Most normal applications should use standard PF_INET sockets, so seeing a PF_PACKET socket isn't entirely normal (though certain things like dhcp clients will use them and generate a false alarm). So in this case, the message is telling you that everything is normal and it isn't seeing anything odd.

Thanks for your reply. You're explanation was much eaiser to understand than what I had found earlier...you have set my mind at ease.

One thing that I'm still curious about is, why would I get this message from chkrootkit all of a sudden, when I never got it before?

Not sure about that one. Were you doing something different, like running chkrootkit with networking down or the ppp0 interface not activated? You can probably even test it by running chkrootkit with ppp0 up and then with it down and compare the results.

No, I have always ran chkrootkit with networking up, and ppp0 either up or down, and never have seen the "not promisc and no PF_PACKET sockets" message until just recently after installing Azureus. So, that's where my concern came from. Having always seen the message "Checking `sniffer'... Checking `w55808'... not infected", then seeing another message, had me thinking that someone was sniffing my packets for malicious use.

Yes, I have done that, as I mentioned in the first post. I still do get different results. "...not infected" with ppp0 down and "not promisc..." with it up. I guess I'm not understanding why/what the reason the message has changed all of a sudden.

If you are concerned, try running rootkit hunter instead. It has a test for promiscuous interfaces as well.

Also out of my own curiousity, try just running the ifpromisc helper app by itself and see if it still does the same thing. Btw, what linux distro/version are you using and what verision of chkrootkit are you running?

Thanks for the recommendation of rootkit hunter. I've installed and ran it and everything checks out ok.

If I turn promisc on for ppp0 (# ip link set dev ppp0 promisc on), run chkrootkit, I get a different message:
So, all seems well...for now.

Oh, I'm running Mandrake cooker and the verision of chkrootkit installed is 0.43-1.

Thanks again for your help.