Chkrootkit messages ?

[Bob Goodwin]

David Timms wrote:
> Bob Goodwin wrote:
>>
>> This is a fairly new FC5 installation, new ISP, and new wireless 
>> router system, all together adding up to numerous possibilities for 
>> errors.  I installed and ran "chkrootkit" this morning with the 
>> following result and don't know how to deal with it?  Any suggestions 
>> appreciated.
>>
>> Checking `asp'... not infected
>> Checking `bindshell'... not infected
>> Checking `lkm'... You have     1 process hidden for readdir command
>> You have     1 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
> I get:
> Checking `lkm'... chkproc: nothing detected
>
> ...
>> Checking `chkutmp'...  The tty of the following user process(es) were 
>> not found
>> in /var/run/utmp !
>> ! RUID          PID TTY    CMD
>> ! root         2301 tty7   X :0 -auth /root/.serverauth.2284
>> chkutmp: nothing deleted
> rkhunter and possibly chkrootkit have not been modified to take into 
> account the FC5 norms (I think).
>
>> I scanned from "/" with f-prot yesterday and there were no 
>> indications of "infection."
> The point of a rootkit is that any command / program could no longer 
> be trusted: eg scanner asks OS: "open file x to check if its a got a 
> virus" OS responds with "data" - but it is not the real data inside 
> the file.
>
> I've got the following installed:
> rkhunter-1.2.8-3.fc5
> chkrootkit-0.46a-2.2.fc5.rf
>
> Is your chkrootkit the same version ?
>
> It think it's worth installing rkhunter (either from core or extras - 
> I've forgotten) for a second opinion.
>
> DaveT.
>
I did yum install this morning and "chkrootkit -V" shows "chkrootkit 
version 0.46"

I'll try rkhunter as you suggest, if all else fails I guess I can 
re-install but hate to wipe out my configuration effort to date.

Thanks.  BobG