Hello, My eth0 (the external interface) on my firewall machine was down this morning, and when brought back up via dhcpd it got turned onto promisc, which I know sniffs packets, and that is about all I know, so I shut it down right away. I ran chkrootkit version 0.43 after I discovered eth0 was down and brought back up and nothing came up infected, except the eth0 was promisc when it was using dchpd, so I just gave it a static and it is no longer on promisc, is this sufficent? I would assume something is wrong with my rules on my firewall becuase I assume someone got in and manipulated the dhcpd script or is there another way to get it to be promisc? I checked root's .bash_history and it was still in tact with all of MY commands, but in /var/log/messages it says something like: "trying to punch ~MY ISP's DNS SERVER~ through firewall" I am running an old version of RH 7.1 as a firewall using ipchains behind a Linksys Wireless router. My boxes behind the firewall also seem fine, nothing is promisc and chkrootkit runs cleanly. I thought my firewall was decent, I run nmap against both interfaces, eth0 (external) and eth1 (internal) and it always has shown no ports at all are open, running: nmap -sS -v -O Any help/suggestions, like maybe if I should "get that box off the network", would be helpful. Thank you in advance. Erick _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list