Re: chkrootkit and vncserver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Steven Stern" <subscribed-lists@xxxxxxxxxxxxx>
> On Mon, 24 May 2004 08:21:20 -0500, "Benjamin J. Weiss"
<benjamin@xxxxxxxxxx>
> wrote:
>
> >From: "Steven Stern" <subscribed-lists@xxxxxxxxxxxxx>
> >> This morning's normal system checks triggered alarms.  Chkrootkit
reported
> >a
> >> possible LKM trojan.
> >>
> >> Checking `lkm'... You have     5 process hidden for readdir command
> >> You have     5 process hidden for ps command
> >> Warning: Possible LKM Trojan installed
> >>
> >> I've tracked this down to vncserver.  I have one X session assigned to
> >VNC.
> >>
> >> If I do /sbin/service vncserver stop, then chkrootkit reports no LKM
> >problem.
> >> When I restart the server, the LKM message reappears.
> >>
> >> Can anyone else verify this on their system?
> >
> >What are you running, FC1 or FC2?
>
>
> FC2.  The same configuration and version of chkrootkit was in place in
FC1.
> (BTW, I did install Dag's RPM of chkrootkit for FC2, just in case, but I
still
> get the warning when vncserver is running.)

Okay, I just downloaded chkrootkit from DAG, on an updated install of FC2.

Before vnc, I had 4 processes hidden from readdir and ps.  When I ran vnc
(vnc-server-4.0-1.beta4.11), I then had 9, then 13.  (I'm running two vnc
sessions.)  When I stopped vncserver, I was down to 4 again.

I googled a bit  and found this in the archives:
http://www.redhat.com/archives/fedora-test-list/2004-April/msg01586.html

I used  /usr/lib/chkrootkit-0.43/chkproc -v and followed the message above.
It turned out that the first four were nautilus and gnome (that machine
booted by default into init:5).  Once I changed the default init to 3 and
rebooted, they all went away.

I don't think that this is a trojan, just a design issue with gnome.

Ben



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux