chkrootkit and vncserver
subscribed-lists at sterndata.com
Mon May 24 13:56:11 UTC 2004
On Mon, 24 May 2004 08:21:20 -0500, "Benjamin J. Weiss" <benjamin at weiss.name>
>From: "Steven Stern" <subscribed-lists at sterndata.com>
>> This morning's normal system checks triggered alarms. Chkrootkit reported
>> possible LKM trojan.
>> Checking `lkm'... You have 5 process hidden for readdir command
>> You have 5 process hidden for ps command
>> Warning: Possible LKM Trojan installed
>> I've tracked this down to vncserver. I have one X session assigned to
>> If I do /sbin/service vncserver stop, then chkrootkit reports no LKM
>> When I restart the server, the LKM message reappears.
>> Can anyone else verify this on their system?
>What are you running, FC1 or FC2?
FC2. The same configuration and version of chkrootkit was in place in FC1.
(BTW, I did install Dag's RPM of chkrootkit for FC2, just in case, but I still
get the warning when vncserver is running.)
More information about the fedora-list