chkrootkit: LKM trojan(?) and strange cron behaviour

[Greg Lane]

Hi all,

I run stable (built from march 9 sources) on a cheapo machine that routes
my DSL connection (natd) and acts as a file server for my home network.

The only ports open on the outside interface are 22 and port 80 (the 
latter is actually forwarded to apache running in a jail). I run a 
fairly restrictive firewall as well.

I just noticed today that mail had stopped coming and after some 
investigations I realised that cron wasn't doing anything (so fetchmail 
wasn't running). I traced the time to May 12 between 5 and 6am. 
I was logged in to home from work at the time (doing a night
shift looking after an experiment) but I don't remember doing anything
abnormal that night that might have caused this.

A cron process was present so I just killed and restarted it and so 
far things look normal again. Nevertheless, I went further 
investigating and found an interesting message from chkrootkit 
at 3 am May 10 (2 days before):

Checking `lkm'... You have     1 process hidden for readdir command
You have     1 process hidden for ps command
Warning: Possible LKM Trojan installed

That was the only abnormal message that night and everything was 
normal before this (for at least a month) and for the next two 
nights till cron died (I run chkrootkit from cron just before
3am each night). 

I just ran chkrootkit again and it reports nothing. I am building 
static executables on another stable machine at the moment so that 
I can run chkrootkit with known executables. 

My feeling is that cron was wedged in some fashion and this has nothing 
to do with the strange chkrootkit result. But it concerns me a little.
My questions are:

Has anyone ever had cron stuck in this fashion? 

Has anyone ever seen this message from chkrootkit before and 
determined it was a false alarm?  (Note that I am running stable
and this is not the known problems with chkrootkit and current.)

Would you be concerned?!?!?

Cheers,
Greg