Hello,

My eth0 (the external interface) on my firewall machine was down this 
morning, and when brought back up via dhcpd it got turned onto promisc, 
which I know sniffs packets, and that is about all I know, so I shut it 
down right away.

I ran chkrootkit version 0.43 after I discovered eth0 was down and 
brought back up and nothing came up infected, except the eth0 was 
promisc when it was using dchpd, so I just gave it a static and it is no 
longer on promisc, is this sufficent? I would assume something is wrong 
with my rules on my firewall becuase I assume someone got in and 
manipulated the dhcpd script or is there another way to get it to be 
promisc?

I checked root's .bash_history and it was still in tact with all of MY 
commands, but in /var/log/messages it says something like:

"trying to punch ~MY ISP's DNS SERVER~ through firewall"

I am running an old version of RH 7.1 as a firewall using ipchains 
behind a Linksys Wireless router. My boxes behind the firewall also seem 
fine, nothing is promisc and chkrootkit runs cleanly.

I thought my firewall was decent, I run nmap against both interfaces, 
eth0 (external) and eth1 (internal) and it always has shown no ports at 
all are open, running:

nmap -sS -v -O

Any help/suggestions, like maybe if I should "get that box off the 
network", would be helpful. Thank you in advance.

Erick



_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list