chkrootkit: LKM trojan(?) and strange cron behaviour

[Jason Stewart]

> Hi Jason, 
> 
> Sorry for the delay in replying. I had to prepare a couple of lectures
> over the last two days.
> 
> I am glad someone else has at least seen this before. I found
> virtually nothing when I went searching the lists.
> I presume that this has something to do with apache 
> spawning processes in the middle of chkrootkit running? 
> I don't really know though. (My web site is hardly very active!)

Yes, I believe that this is precisely the reason for the false alarm.
I've read something on usenet about just that scenario about 6 months
ago.

> The thing that concerned me most was the fact that it happened near
> when cron decided to stop working. Have you (or anyone else
> for that matter) seen cron just stop like that? The process was
> there, but doing nothing. Again, a search of the lists got me a few hits
> but nothing obvious and nothing recent.

Did you search for a core file? Cron may have dumped core for some
reason or the other. You could do a backtrace with GDB and try to see
what caused it to die.

Cheers,
Jason