chkrootkit and vncserver

Benjamin J. Weiss benjamin at
Mon May 24 14:53:45 UTC 2004

From: "Steven Stern" <subscribed-lists at>
> On Mon, 24 May 2004 08:21:20 -0500, "Benjamin J. Weiss"
<benjamin at>
> wrote:
> >From: "Steven Stern" <subscribed-lists at>
> >> This morning's normal system checks triggered alarms.  Chkrootkit
> >a
> >> possible LKM trojan.
> >>
> >> Checking `lkm'... You have     5 process hidden for readdir command
> >> You have     5 process hidden for ps command
> >> Warning: Possible LKM Trojan installed
> >>
> >> I've tracked this down to vncserver.  I have one X session assigned to
> >VNC.
> >>
> >> If I do /sbin/service vncserver stop, then chkrootkit reports no LKM
> >problem.
> >> When I restart the server, the LKM message reappears.
> >>
> >> Can anyone else verify this on their system?
> >
> >What are you running, FC1 or FC2?
> FC2.  The same configuration and version of chkrootkit was in place in
> (BTW, I did install Dag's RPM of chkrootkit for FC2, just in case, but I
> get the warning when vncserver is running.)

Okay, I just downloaded chkrootkit from DAG, on an updated install of FC2.

Before vnc, I had 4 processes hidden from readdir and ps.  When I ran vnc
(vnc-server-4.0-1.beta4.11), I then had 9, then 13.  (I'm running two vnc
sessions.)  When I stopped vncserver, I was down to 4 again.

I googled a bit  and found this in the archives:

I used  /usr/lib/chkrootkit-0.43/chkproc -v and followed the message above.
It turned out that the first four were nautilus and gnome (that machine
booted by default into init:5).  Once I changed the default init to 3 and
rebooted, they all went away.

I don't think that this is a trojan, just a design issue with gnome.


More information about the fedora-list mailing list