This is an additional document added to the Fedora RPM package of

chkrootkit.

-----

It is in the nature of some of chkrootkit's checks that there may be some

false positives among the reported findings. The chkrootkit user is

advised to examine such files more closely (display them, query the RPM

database about them, compare with backups on read-only media) and use

another layer of protection (such as an intrusion detection tool).

For example, where it is searched for hidden files below /usr/lib, which

begin with a dot, chkrootkit may report files which belong into valid RPM

packages, or which have been created at run-time by some software, and

which are innocent. The output could look like this (the lines have been

wrapped for readability):

Searching for suspicious files and dirs, it may take a while... 

/usr/lib/firefox-1.5.0.3/.autoreg

/usr/lib/firefox-1.5.0.2/.autoreg

/usr/lib/firefox-1.5.0.8/.autoreg

/usr/lib/firefox-1.5.0.1/.autoreg

/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock

/usr/lib/qt-3.3/etc/settings/.qtrc.lock

/usr/lib/firefox-1.5/.autoreg

/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist

/usr/lib/firefox-1.5.0.4/.autoreg

In this example, the files are valid files from Firefox (previous and

current versions), Perl and the Qt GUI toolkit, but only the ".packlist"

file is included in the main "perl" package. Creating and maintaining a

simple white-list inside chkrootkit would bear the risk that a new rootkit

uses the knowledge about white-listed file locations to store its

malicious files.

Also see:  http://www.chkrootkit.org/faq/