On Sun, Mar 27, 2011 at 4:09 PM, walt <w41...@gmail.com> wrote: > I just got an email from cron on my ~amd64 machine, containing these lines: > > Checking 'find'... INFECTED > Checking 'netstat'... INFECTED > > Took me a few minutes to deduce that sys-forensics/chkrootkit was the source > of those messages. I ran chkrootkit manually and found the same messages in > the output. > > I then nervously re-emerged findutils and net-tools, but chkrootkit again > found > the same binaries to be "INFECTED". > > Running chkrootkit on my ~x86 machine turns up no such infections even > though > the same packages are installed on both machines. > > Anyone have any insight into how chkrootkit works, or why the different > results? > > Or, can anyone reproduce my problem?
chkrootkit is old, has not been updated in years+, and those are false alarms. I got the exact same ones. Basically, chkrootkit is just grepping for a string inside those files: /usr/bin/find: sharefile.h /bin/netstat: sockaddr.h You may find that if you strip those 2 binaries of debug data, the false positives go away.