This is an additional document added to the Fedora RPM package of
chkrootkit.
-----
It is in the nature of some of chkrootkit's checks that there may be some
false positives among the reported findings. The chkrootkit user is
advised to examine such files more closely (display them, query the RPM
database about them, compare with backups on read-only media) and use
another layer of protection (such as an intrusion detection tool).
For example, where it is searched for hidden files below /usr/lib, which
begin with a dot, chkrootkit may report files which belong into valid RPM
packages, or which have been created at run-time by some software, and
which are innocent. The output could look like this (the lines have been
wrapped for readability):
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-1.5.0.3/.autoreg
/usr/lib/firefox-1.5.0.2/.autoreg
/usr/lib/firefox-1.5.0.8/.autoreg
/usr/lib/firefox-1.5.0.1/.autoreg
/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
/usr/lib/qt-3.3/etc/settings/.qtrc.lock
/usr/lib/firefox-1.5/.autoreg
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/firefox-1.5.0.4/.autoreg
In this example, the files are valid files from Firefox (previous and
current versions), Perl and the Qt GUI toolkit, but only the ".packlist"
file is included in the main "perl" package. Creating and maintaining a
simple white-list inside chkrootkit would bear the risk that a new rootkit
uses the knowledge about white-listed file locations to store its
malicious files.
Another example is a check that looks for files in a place, which is
used by a valid package nowadays. The output looks like:
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Both files are included within the "libgcj" package, however,
$ rpm --query --file /usr/lib/security/classpath.security
libgcj-4.1.1-51.fc6
and are false positives,
$ rpm --verify libgcj
$
unless something has managed to manipulate the system in a way, so that
simple checks like above cannot be trusted.