From: "Steven Stern" <subscribed-lists@xxxxxxxxxxxxx> > On Mon, 24 May 2004 08:21:20 -0500, "Benjamin J. Weiss" <benjamin@xxxxxxxxxx> > wrote: > > >From: "Steven Stern" <subscribed-lists@xxxxxxxxxxxxx> > >> This morning's normal system checks triggered alarms. Chkrootkit reported > >a > >> possible LKM trojan. > >> > >> Checking `lkm'... You have 5 process hidden for readdir command > >> You have 5 process hidden for ps command > >> Warning: Possible LKM Trojan installed > >> > >> I've tracked this down to vncserver. I have one X session assigned to > >VNC. > >> > >> If I do /sbin/service vncserver stop, then chkrootkit reports no LKM > >problem. > >> When I restart the server, the LKM message reappears. > >> > >> Can anyone else verify this on their system? > > > >What are you running, FC1 or FC2? > > > FC2. The same configuration and version of chkrootkit was in place in FC1. > (BTW, I did install Dag's RPM of chkrootkit for FC2, just in case, but I still > get the warning when vncserver is running.) Okay, I just downloaded chkrootkit from DAG, on an updated install of FC2. Before vnc, I had 4 processes hidden from readdir and ps. When I ran vnc (vnc-server-4.0-1.beta4.11), I then had 9, then 13. (I'm running two vnc sessions.) When I stopped vncserver, I was down to 4 again. I googled a bit and found this in the archives: http://www.redhat.com/archives/fedora-test-list/2004-April/msg01586.html I used /usr/lib/chkrootkit-0.43/chkproc -v and followed the message above. It turned out that the first four were nautilus and gnome (that machine booted by default into init:5). Once I changed the default init to 3 and rebooted, they all went away. I don't think that this is a trojan, just a design issue with gnome. Ben
