This is a well-known issue, and is mentioned in /usr/share/doc/chkrootkit/README.FALSE-POSITIVES and in the upstream FAQ: http://www.chkrootkit.org/faq/#8
Simply put, chkrootkit should not contain a whitelist of acceptable dotfiles by default, as a rootkit could simply use the files listed in the whitelist as known good hiding places. That being said, the newer Debian/Ubuntu packages contain a patch that adds a "-e" option that lets administrators add their own whitelist. I think this is a reasonable idea and it should be included in the hardy package so chkrootkit can be used by system admins without constantly getting false positives. -- chkrootkit falsely flags files owned by Firefox 3 and Sun Java 6 valid packages https://bugs.launchpad.net/bugs/575945 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to chkrootkit in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
