This is a well-known issue, and is mentioned in /usr/share/doc/chkrootkit/README.FALSE-POSITIVES and in the upstream FAQ: http://www.chkrootkit.org/faq/#8
Simply put, chkrootkit should not contain a whitelist of acceptable dotfiles by default, as a rootkit could simply use the files listed in the whitelist as known good hiding places. That being said, the newer Debian/Ubuntu packages contain a patch that adds a "-e" option that lets administrators add their own whitelist. I think this is a reasonable idea and it should be included in the hardy package so chkrootkit can be used by system admins without constantly getting false positives. -- chkrootkit falsely flags files owned by Firefox 3 and Sun Java 6 valid packages https://bugs.launchpad.net/bugs/575945 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
