chkrootkit gives a false positive if running portsentry for ports aka it gives the below: Checking `bindshell'... INFECTED (PORTS: 1524 31337) Stopping portsentry removes that error. But I suggest the ebuild have a warning added so that people running port sentry are aware of this. It also gives an error for sniffer if people run dhcpd. Reproducible: Always Steps to Reproduce:
is there a way of configuring chrootkit to ignore scanning those ports?
This is actually a chkrootkit FAQ[1]. I've added some einfo's that display a warning and point to the chkrootkit FAQ, as well as a few other minor ebuild changes (good timing on this bug report, as I was about to commit them when I saw your bug ;p). [1] http://www.chkrootkit.org/
http://www.chkrootkit.org/ scrolling down there I see: 7. I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). Unfortunately it doesn't give any solutions. Alot of people might be startled as I was to see that false positive and not realize it was false. Luckily another pointed it to me but obviously thats quite a port range it can give false positives for. Which is why I suggest just adding the ewarn flag or something to the ebuild. Then it will beep and put text in yellow warning people that run portsentry.
Oops just looked down and saw your other comment. I have been having some weirdness with fetchyahoo since that upgrade.(no biggie really but just going through a pile in that inbox of stuff now) And replied to the other post before it via the email link. Thanks for the new editions to the files. I went on a security hunt on my system before finding out it was a false positive. Nothing like flu induced brain fog and a security false positive at the same time. :P