first of all 'HELLO' to all fedorafoum.org members,mods and admin!

I installed a few days ago fedora 2 successfully,but I couldn't find the kernel and syslog files in directory /var/log.could someone tell me please what log files FC2 install as default?
why I am asking this?because I couldn't find kernel logs and sys log files in the directory and when I check with the program chkrootkit I get warnings which is below

first check
Checking `lkm'... You have 9 process hidden for readdir command
You have 9 process hidden for ps command
Warning: Possible LKM Trojan installed

second check about 3 hours later
Checking `slapper'... Warning: Possible Slapper Worm installed

but when I check with rkhunter,I get no warnings.

and today while I was surfing in the net suddenly my pc rebooted by itself without giving any command!(I was downloading with bittorrent FC2 DVD.iso)

I do ps,du,ls,top,but no suspicioues file.

do you have any idea what is going on?

thanks a lot in advance

I'm not familiar with 'slapper', however the lack of log files is something to worry about.

The boot log should be /var/log/boot.log and should be there immediately after booting.
Kernel messages are sent to /var/log/messages
Security info goes to /var/log/secure
Login info should be in /var/log/wtmp (and can be viewed with utmpdump < /var/log/wtmp

There are many more, but if these files are missing completely it could indicate the system has been compromised.. if so it was a very sloppy job by the cracker -- just wiping all the logs. I would suggest keeping that system isolated until you can dig deeper, and possibly just backup needed data and reinstall it.

These log files are controlled / chosen by the config file /etc/syslog.conf. If the system is comp'd that file is most likely modified to at least copy the log messages elsewhere..

I reinstalled FC2 and right after chkrootkit what should I meet with,but same warnings like
Checking `lkm'... You have 6 process hidden for readdir command
You have 6 process hidden for ps command
Warning: Possible LKM Trojan installed

I e-maild to chkrootkit's author about the matter,but did'n't receive an answer yet.when I check with rkhunter everything is ok!
thanks for your answer!

I have the same messages on FC2, kernel 2.6.7. Using 'chkproc -v' in the chkrootkit directory will display the PID of the processes, then you can look at /proc/PID#/cmdline to see what program it is coming from.

All such processes reported as hidden from readdir and ps are from mozilla-bin-mail for me.

Then I found this page that claims that this is normal for mozilla.

http://www.redhat.com/archives/fedora-test-list/2004-April/msg01586.html

Same under RH 9 and I found that the hidden processes are MySQL 3.