chkrootkit and vncserver
Benjamin J. Weiss
benjamin at weiss.name
Mon May 24 14:53:45 UTC 2004
From: "Steven Stern" <subscribed-lists at sterndata.com>
> On Mon, 24 May 2004 08:21:20 -0500, "Benjamin J. Weiss"
<benjamin at weiss.name>
> wrote:
>
> >From: "Steven Stern" <subscribed-lists at sterndata.com>
> >> This morning's normal system checks triggered alarms. Chkrootkit
reported
> >a
> >> possible LKM trojan.
> >>
> >> Checking `lkm'... You have 5 process hidden for readdir command
> >> You have 5 process hidden for ps command
> >> Warning: Possible LKM Trojan installed
> >>
> >> I've tracked this down to vncserver. I have one X session assigned to
> >VNC.
> >>
> >> If I do /sbin/service vncserver stop, then chkrootkit reports no LKM
> >problem.
> >> When I restart the server, the LKM message reappears.
> >>
> >> Can anyone else verify this on their system?
> >
> >What are you running, FC1 or FC2?
>
>
> FC2. The same configuration and version of chkrootkit was in place in
FC1.
> (BTW, I did install Dag's RPM of chkrootkit for FC2, just in case, but I
still
> get the warning when vncserver is running.)
Okay, I just downloaded chkrootkit from DAG, on an updated install of FC2.
Before vnc, I had 4 processes hidden from readdir and ps. When I ran vnc
(vnc-server-4.0-1.beta4.11), I then had 9, then 13. (I'm running two vnc
sessions.) When I stopped vncserver, I was down to 4 again.
I googled a bit and found this in the archives:
http://www.redhat.com/archives/fedora-test-list/2004-April/msg01586.html
I used /usr/lib/chkrootkit-0.43/chkproc -v and followed the message above.
It turned out that the first four were nautilus and gnome (that machine
booted by default into init:5). Once I changed the default init to 3 and
rebooted, they all went away.
I don't think that this is a trojan, just a design issue with gnome.
Ben
More information about the fedora-list
mailing list