LKM trojan triggered by VNCSERVER?

Using Fedora Core 2 on a Dell system. This case is new to FC2; there was no
similar issue with FC1.

This morning's normal system checks triggered alarms. Chkrootkit reported a
possible LKM trojan.

Checking `lkm'... You have 5 process hidden for readdir command
You have 5 process hidden for ps command
Warning: Possible LKM Trojan installed

I've tracked this down to vncserver. I have one X session assigned to VNC.

If I do /sbin/service vncserver stop, then chkrootkit reports no LKM problem.
When I restart the server, the LKM message reappears.

Can anyone else verify this on their system? Is there something about the way
vncserver starts processes that might trigger this?


# more xstartup
#!/bin/sh
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
exec gnome-session &

> Using Fedora Core 2 on a Dell system. This case is new to FC2; there
> was no similar issue with FC1.
>
> This morning's normal system checks triggered alarms. Chkrootkit
> reported a possible LKM trojan.
>
> Checking `lkm'... You have 5 process hidden for readdir command
> You have 5 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> I've tracked this down to vncserver. I have one X session assigned to
> VNC.

I can't comment on this because I don't use Fedora, nor vncserver. But in
the meantime I would recommend using tcpdump from another machine on the
same network segment to monitor traffic flowing to/from the suspect host.
See if anyone is actually trying to start/maintain an unexpected
connection.

--
Jem Berkes
http://www.sysdesign.ca/