Ubuntu
chkrootkit package

chkrootkit daily report accuses PACKET SNIFFER for /usr/sbin/dhcpd3

Bug #602734 reported by Christian Reis
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chkrootkit
Fix Released
Unknown
chkrootkit (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: chkrootkit

This seems to be a regression from previous versions. Here's what I am seeing on Lucid:

  ii chkrootkit 0.49-3 rootkit detector

  kiko@anthem:~$ sudo /usr/lib/chkrootkit/ifpromisc
  lo: not promisc and no packet sniffer sockets
  eth2: not promisc and no packet sniffer sockets
  eth1: PACKET SNIFFER(/usr/sbin/dhcpd3[3805])
  eth0: not promisc and no packet sniffer sockets

I think dhcpd3 is safe to run, and based on what I've seen in a debian bug report, this has been fixed before. I just wonder if it's regressed or if this is a new problem in old clothing.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this.

The README.FALSE-POSITIVES file does document that dhcp will come up as a false positive.

Although chkrootkit does display dhcpd3, the cron.daily job in the chkrootkit package filters it out before sending the report.

What version were you running before that makes this seem like a regression? What Debian bug report did you see that mentioned this being fixed?

Changed in chkrootkit (Ubuntu):
status: New → Incomplete
Revision history for this message
Christian Reis (kiko) wrote :

I was referring to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525370 but now that I see it it's not exactly the same issue.

So I think something is wrong in my cron.daily script, then, because I'm seeing this in my email notifications. Let me check. Okay, so if cron.daily is running its chkrootkit script as I think it should be, then this regexp may be broken:

  # the sed expression replaces the messages about /sbin/dhclient3 /usr/sbin/dhcpd3
  # with a message that is the same whatever order eth0 and eth1 were scanned
  sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient3|dhcpd3]{PID}\),' \
  -e 's/(! \w+\s+)[ 0-9]{4}[0-9]/\1#####/' $LOG_DIR/log.today.raw > $LOG_DIR/log.today

Could that be the issue?

summary: - ifpromisc reports PACKET SNIFFER for /usr/sbin/dhcpd3
+ chkrootkit daily report accuses PACKET SNIFFER for /usr/sbin/dhcpd3
Revision history for this message
Christian Reis (kiko) wrote :

Date: Tue, 6 Jul 2010 06:42:22 -0300
From: Cron Daemon <root@XXX>
To: root@XXX
Subject: Cron <root@anthem> test -x /usr/sbin/anacron || ( cd / && run-parts
        --report /etc/cron.daily )

/etc/cron.daily/chkrootkit:
[...]
eth1: PACKET SNIFFER(/usr/sbin/dhcpd3[3805])
[...]

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

oh, sorry about that...the cron job doesn't filter the report, it just reformats the dhcp warning so it's always the same and the dhcp line doesn't get reported more than once if DIFF_MODE=true in /etc/chkrootkit.conf.

Bug Watch Updater (bug-watch-updater)
Changed in chkrootkit:
status: Unknown → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

This is fixed in natty.

chuck

Changed in chkrootkit (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.