Weird Network Manager Problem (Updated)

[JB]

Mike Dwiggins <mike <at> azdwiggins.com> writes:

> 
>   JB,
> 
> I figured you or someone else might like to know this.  I killed the dhc 
> process and cleaned up the .conf files did a restart on Network Manage 
> and everything worked!
> 
> Ran chkrootkit and it hit on netstat as Infected (imagine that).  It 
> also reported a possible LKM Trojan intrusion.  I then ran rkhunter and 
> it threw warnings on the following files:
> /bin/netstat
> /bin/ps
> /usr/bin/top
> /usr/bin/lsof
> 
> It also reported undocumented password change and group file changes.
> 
> Password I could see with me going through Webmin to reset the root 
> password but, I was careful to change nothing else much less groups!
> 
> I rebooted and the problem was back just as before!
> 
> With that I threw up my hands and have WipeDrive going on the drives in 
> DoD mode!
> 
> Hope this might help someone!
> 
> Again thanks for the help!
> 

Hi,

congratulations, even if that does not seem appropriate :-)

You should test your other servers with both security programs as well.
You should do it on a regular basis, by the way.

Rkhunter installs as a cron job as well and sends a report to your system mail
box.
# ls /etc/cron.daily/
... rkhunter ...

Keep around some good (and up-to-date) live-cd (Knoppix, etc) that also has 
those security programs on it (check that beforehand).
It must be kept up-to-date (downloaded and burned) frequently due to changes in
attack patterns recognition.
But it is safer to perform the scan from a read-only media.

There is a clear sense of apprehension in Fedora community :-)

JB