On Wed, Apr 10, 2002 at 01:25:05PM -0700, Christopher Mahmood beat on the keyboard:
* Robert Sweet (rsweet@garagenetworks.net) [020410 09:46]:
Well this is some great information. I have been trying to see this output too. If this is broke, doesn't that make things a little hard for tracking down script kiddies. I have been doing some work for a company, who has had two Redhat boxes (trying to convince them to switch to SuSE) compromised. I have been checking my box out, and am running snort, so I know it is in promisc, but ifconfig wouldn't show it. I have run chkrootkit, and that says it is not promisc, yet it is running in promisc. I don't like this.
It is annoying. One solution is to stop using ifconfig and route and use ip instead. SuSE 8.0 does this.
What other ways can I be sure that my box has not been compromised? I have run adorefind, negative, chkrootkit, all negative.
Unless you have something like a tripwire database that was created before the machine was ever on the network that's probably impossible. If the machine really has been compromised there's no reason to expect all of these tools to work properly.
--
-ckm
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here Yes I am positive that these Redhat boxes have been compromised. I have already recommended to them they need to be reformatted and re-installed. Just wish they would use SuSE. I am using ip now. It is hard to break old habits. -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "unix soit qui mal y pense."