[lug] chkrootkit false positives, old threads versus POSIX pthreads

D. Stimits stimits at comcast.net
Sat Apr 23 17:15:02 MDT 2005

Recently there was some talk about the change from 2.4 kernel fake 
threads that were really processes, and 2.6 kernel POSIX threads that 
belong to a single PID. I'm curious about something related to this, 
perhaps one of the security-knowledgeable can answer.

It turns out that chkrootkit gives a lot of false positives about hidden 
processes, saying "possible LKM". Mozilla and tomcat and several Java 
type applications all give this hidden process alarm, but are not really 
LKM or anything malware (even identd is showing up as hidden process). 
Now I know all of what I've viewed is valid and supposed to be there. So 
my question is basically this...has a shift from fake threads to POSIX 
threads changed something which is partially responsible for chkrootkit 
false positives?

Also, I've noticed that all of the new install fedora machines I've seen 
seem to run an rpc.statd on port 32768, but apparently this too is 
valid. I'm guessing it is related to gnome and KDE (or xdm in general). 
Can anyone tell me what exactly this port is for? [and you can bet it's 
all firewalled]

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list