# Dodgy system behaviour - possible rootkit?

## Napalm Llama

My system's been acting up for the last couple of months, with various, seemingly unrelated things going wrong.  I ran rkhunter recently, and it threw up warnings for the majority of system commands.  I know the files could have just changed because of updates, but it's still worrying.

The extra-weird thing though is the behaviour of libnss3.so.  My system has two libraries with this name:

/usr/lib/libnss3.so

/usr/lib/mozilla/libnss3.so

Chrome depends on the Mozilla one, even though equery says it isn't claimed by any packages.  Trouble is, Chrome won't start unless I replace the Mozilla library with a symlink to the main one.  So I move /usr/lib/mozilla/libnss3.so to eg. /usr/lib/mozilla/libnss3.so.old, or /usr/lib/mozilla/libnss3.soveryold, or /usr/lib/mozilla/libnss3backup, and replace it with a symlink to /usr/lib/libnss3.so.  And a few days later, without fail, the symlink has changed.  Instead of pointing to the correct library, it now points right back to the mozilla one, no matter what name I changed it to.  I don't see how an automated script could do that.

Does this sound like rootkit behaviour - eg. replacing the libnss libray so that an attacker can listen in on SSL traffic?  Or am I just being paranoid?

----------

## Ant P.

That definitely isn't right. I've got half a dozen browsers installed and there's no /usr/lib/mozilla/libnss.so on my system.

----------

## Hu

 *Napalm Llama wrote:*   

> I ran rkhunter recently, and it threw up warnings for the majority of system commands.

 Although false positives can occur in some cases, they are usually not particularly numerous.  Please share the warnings so we can analyze them.

----------

