chkrootkit and vncserver
Benjamin J. Weiss
benjamin at weiss.name
Mon May 24 13:21:20 UTC 2004
From: "Steven Stern" <subscribed-lists at sterndata.com>
> This morning's normal system checks triggered alarms. Chkrootkit reported
a
> possible LKM trojan.
>
> Checking `lkm'... You have 5 process hidden for readdir command
> You have 5 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> I've tracked this down to vncserver. I have one X session assigned to
VNC.
>
> If I do /sbin/service vncserver stop, then chkrootkit reports no LKM
problem.
> When I restart the server, the LKM message reappears.
>
> Can anyone else verify this on their system?
What are you running, FC1 or FC2?
Ben
More information about the fedora-list
mailing list