> two major choices: > > 1) leave it online recording ALL traffic to and from it > > 2) take it offline immediately and analyze it there without > remote interference
I'm starting to think it was chkrootkit misreporting what was happening, as after I rebooted the machine, there are now a) no processes hidden b) one of my interfaces seems to go into PROMISC mode only after dhcpd is started -- would this explain it? cheers, Michael
