Packet Sniffer found, what next?
After a download yesterday my computer crashed. I updated today and checked for rootkits. I found a packet sniffer
eth0: PACKET SNIFFER(/sbin/dhclient[3966])
How can I remove this?
I think it might be a false positive. Try checking with rkhunter, because it gives fewer false positives. To download rkhunter, and for more detailed info on how to use it, See this site
If it come up clean, then you have reason for concern.
Try this as well:
rkhunter --checkupdatesudo rkhunter --propupdrkhunter --check
Source: The Rootkit Hunter project
Dhclient is the standard " Dynamic Host Configuration Protocol Client" for Ubuntu that is needed for when you have not a fixed IP but still want to be reachable from the Internet.
In case you are worried you should check your dhclient.conf for unwanted entries.
The isc-dhcp-client and isc-dhcp-server packages (DHCP client and server) re-runs their daemons regularly and cause a "packet sniffer" false positive. The chkrootkit package's /etc/cron.daily/chkrootkit script has a workaround for this which tries to replaces the PID with a static string.
However, the workaround for the false positive doesn't work. This is because on Debian, the binaries from these packages used to end with a version number, e.g. /sbin/dhclient3. But the chkrootkit package maintainers never updated /etc/cron.daily/chkrootkit to work with version 4 series of the isc-dhcp-client and isc-dhcp-server packages, whose files don't have the version number.
To fix this issue, make a backup copy of /etc/cron.daily/chkrootkit then edit it and change...
sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient3|dhcpd3]{PID}\),' \
...to...
sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient|/usr/sbin/dhcpd)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient|dhcpd]{PID}\),' \
Be careful to leave the backslash at the end of the line.