[lug] chkrootkit false positives, old threads versus POSIX pthreads
D. Stimits
stimits at comcast.net
Sat Apr 23 17:15:02 MDT 2005
Recently there was some talk about the change from 2.4 kernel fake
threads that were really processes, and 2.6 kernel POSIX threads that
belong to a single PID. I'm curious about something related to this,
perhaps one of the security-knowledgeable can answer.
It turns out that chkrootkit gives a lot of false positives about hidden
processes, saying "possible LKM". Mozilla and tomcat and several Java
type applications all give this hidden process alarm, but are not really
LKM or anything malware (even identd is showing up as hidden process).
Now I know all of what I've viewed is valid and supposed to be there. So
my question is basically this...has a shift from fake threads to POSIX
threads changed something which is partially responsible for chkrootkit
false positives?
Also, I've noticed that all of the new install fedora machines I've seen
seem to run an rpc.statd on port 32768, but apparently this too is
valid. I'm guessing it is related to gnome and KDE (or xdm in general).
Can anyone tell me what exactly this port is for? [and you can bet it's
all firewalled]
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list