chkrootkit reports ps and netstat are INFECTED if their respective packages (sys-process/procps-3.2.5-r1 and sys-apps/net-tools-1.60-r11) are emerged with CFLAGS="-O2 -g". It doesn't report anything else interesting. If I change CFLAGS to "" or "-O2" and re-emerge those packages, then they are reported as not infected (so I assume the INFECTED indication is a false positive). Here is the output of emerge info: Portage 2.0.51.22-r3 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r3 i686) ================================================================= System uname: 2.6.13-gentoo-r3 i686 AMD Athlon(tm) XP 1900+ Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-g -O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-g -O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks fixpackages nostrip sandbox sfperms strict userpriv" GENTOO_MIRRORS="http://gentoo.osuosl.org/ ftp://gentoo.ccccom.com ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://mirror.datapipe.net/gentoo http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.ccccom.com" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LINGUAS="en ja" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="x86 3dnow X Xaw3d aalib acl alsa apm arts audiofile avi berkdb bindist bitmap-fonts bzip2 canna cdr cjk crypt cups curl debug doc dvd eds emboss encode esd exif expat fam flac foomaticdb fortran freetype freewnn gd gdbm gif glut gmp gnome gpm gstreamer gtk gtk2 guile idn imagemagick imlib ipv6 java joystick jpeg junit kde kdexdeltas lcms libg++ libwww mad maildir mbox mikmod mng mozilla mozsvg mp3 mpeg mule ncurses nls noantlr nobcel nobeanutils nobsh nocommonslogging nocommonsnet nodrm nojdepend nojsch nojython nolog4j nooro noregexp norhino noxalan noxerces ogg oggvorbis openal opengl oss pam pcre pdflib perl pic png python qt quicktime readline ruby scanner sdl slang speex spell sse ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts udev unicode usb vorbis wmf xine xinerama xml xml2 xmms xv xvid zlib video_cards_matrox linguas_en linguas_ja userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS
Created attachment 73613 [details] Here's the complete output of chkrootkit -q showing ps and netstat INFECTED I get essentially the same output (different process numbers), except with ps and netstat not showing as infected, when I re-emerge the affected packages with CFLAGS not containing -g.
Hmmm... This needs to be fixed upstream. See http://www.chkrootkit.org/ - Contacting the Authors at the bottom of the page.