rkhunter hangs, "another user" logged in when I go to shut down. Please evaluate.

Running Ubuntu 10.4.1 (2.6.32.24 kernel) on an old machine (Dell Dimension 2400 -- celeron 2.4 gig chip). Set up two user accounts, me and "guest." I connect to the internet wirelessly through a router. There is one other computer, running WinVista, on the network, physically cabled into the router.

Freevo also creates a user account apparently, but I downloaded and installed Freevo, and assume that is normal behavior.

The computer is used as a normal desktop, not as a server.

Been getting a lot of income hits on my firewall, and found some outgoing connections that didn't make a lot of sense, so I downloaded and installed ClamAV and rkhunter, turned off my connection to the internet and ran both ClamAV and rkhunter.

ClamAV hung on some /sys/devices and /sys/kernel files, so I wound up excluding both /sys/devices and /sys/kernel in order to run it to completion. It came back with no detected viruses.

I set rkhunter to enable all tests and let it lose. Rkhunter gave me warnings for /usr/bin/curl and when it was checking running processes for deleted files. It hung (as in I left it running for two hours and it didn't progress) after it returned "none found" after checking running processes for suspicious files -- it did not say what test it was working on when it hung, "none found" for the suspicious files test were the last words in the verbose display it gave while running. I shut down the terminal session.

I know from Google that /usr/bin/curl is frequently a false positive.

So I go to shut down the linux computer and it tells me that I have to give the authorization password because another user is logged in. I immediately check, and the guest account is not being used, Freevo is not being used, and I had only used sudo with root.

So I think I've been compromised. Before I look at CERT guidelines, and possibly wipe and reinstall, can anyone hazard a guess based on the above facts as to anything I can check to see if my suspicions are correct about being compromised? I assume that rkhunter doesn't normally take two hours to complete one test, and the "another user logged in" bit spooked me.

Thanks,

Moxieman

Hi

Until unSpawn replies....

Try uploading your /var/log/rkhunter.log to a file sharing site and posting a link here please.

2) How do you stop Freevo....ignoring the autologin feature, does it run as a daemon?

try using root powers to stop it....maybe..../etc/init.d/freevo stop

3) Ignoring that you may be compromised....what does the command ....

report as logged in users ....(there may be more)

4) Why have you set up a username called guest?

That name is in itself a little risky. Have you tested its password online.

5) After saving that log....re-run

rkhunter --list tests

and so one bit at time. Bear in mind that RKH will search for some extra applications that you may have installed to use in some tests

good luck

"Guest" was added to the set up on the off chance that someone else would use the computer -- no one (knowingly) has, so it has not been used. When I wipe and reinstall (there is nothing on the computer that I need, since I'm just experimenting with Ubuntu, so I can readily do that) I will not add a standing guest account.

Freevo must be running as a daemon, since it never asked me if I wanted to set it up as a user. I was surprised that it set up a user account. I may just not install it next time.

I'll turn it on and run "who" and check the rkhunter log. If there's anything I don't understand, I'll post.

Thanks.