Possible Rooktit (was Re: It Works fine)

[Steven Stern]

Karl Larsen wrote:
> Jeff Krebs wrote:
>> * Karl Larsen (k5di at zianet.com) wrote:
>>  
>>>    After so many problems seen day after day it is nice I think to 
>>> hear about a success.
>>>
>>> F8 was installed from a DVD and came right up with a video problem 
>>> cuzz I have a Nvidia video card. Fixed in 5 minutes with Nvidia 
>>> binary. Then audio problems and found pulse audio the problem. I was 
>>> told to yum remove and I did and audio is fine again.
>>>
>>>    I have had all the updates and they appear to be real Updates! So 
>>> today December 10 2007 my F8 is working just fine. I have just one 
>>> problem. I     
>>
>> I will mark this down on my calendar, and ensure that it's engraved 
>> in stone to pass down to historians.  Such a feat was certainly 
>> unthinkable :)
>>
>>  
>>> seem to have a rootkit somewhere in the /home/karl/ directories. I 
>>> have RTK and this afternoon I plan to find the thing, or discover I 
>>> have no rootkit but rather another kind of problem.
>>>
>>> Karl
>>>     
>>
>> How do you know that you have a root kit?
>>
>>
>> Jeff Krebs
>>
>>   
>    I really do not know Jeff. But often, while using Firefox I get an 
> attack that puts a cross hatch screen on and removes the keyboard and 
> mouse, and puts a single tone out the audio channels and only a hard 
> reset will clear it.
>
>    This is how I think a rootkit would work and so I got rkhunter and 
> right now I am trying to get it to check /home but have not found out 
> how to do this :-)
>
> Karl
>
>
The rootkits I've seen are very quiet. They survive by NOT doing 
noticeable things.  The quietly install servers or bots in obscure 
corners of the system in hidden directories.  What you have sounds more 
like a cat playing in the wires under the desk. (I have personal 
experience with that, too).

What does chkrootkit show?