Bug 1577499

Summary: Network Attack: Sniffer
Product: [Fedora] Fedora Reporter: Ali <alikerekang>
Component: NetworkManagerAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: alexl, bgalvani, dcbw, fgiudici, john.j5live, lkundrak, mclasen, rhughes, rstrode, sandmann
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-21 08:08:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ali 2018-05-12 13:21:42 UTC 
When running a security check with an Intrusion Detection software named 'chkrootkit' Fedora 27 - Xfce Desktop Environment I get these results:

Checking `sniffer'... enp0s29u1u3: PF_PACKET(/usr/sbin/dhclient, /usr/sbin/dhclient)

It looks like my system (dhclient: 3976)has been attacked by network sniffers. I also found suspicious files and directories in /usr/lib/.build-id.

How do I remove network sniffers from dhclient(3976)?
Comment 1 Beniamino Galvani 2018-05-21 08:08:49 UTC 
dhclient is the DHCP client, which needs a raw socket to work, so this is a false positive. If you are paranoid you could check that the dhclient binary was not altered by verifying the package with:

rpm -V dhcp-client