When using chkrootkit, I always get: Searching for suspicious files and dirs, it may take a while... /usr/lib/.keep /usr/lib/locale/ru_RU/LC_MESSAGES/.keep /usr/lib/perl5/5.8.4/i686-linux/auto/DB_File/.packlist ... and more. As those files are created by the Gentoo system, could it be possible for chkrootkit not to complain when seeing those files ? Reproducible: Always Steps to Reproduce: 1. 2. 3. Portage 2.0.51-r10 (default-linux/amd64/2004.3/lib64, gcc-, glibc-2.3.4.20041102-r0, 2.6.10 x86_64) ================================================================= System uname: 2.6.10 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.6.8 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Jun 5 2004, 14:02:34)] ccache version 2.3 [enabled] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.9.4, 1.4_p6, 1.8.5-r2, 1.6.3, 1.7.9 sys-devel/binutils: 2.15.92.0.2-r1, 2.15.92.0.2-r2 sys-devel/libtool: 1.5.10-r2 virtual/os-headers: 2.6.8.1-r3 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CFLAGS="-O2 -funroll-loops -pipe -fexpensive-optimizations" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -funroll-loops -pipe -fexpensive-optimizations" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig buildsyspkg ccache cvs digest sandbox severe strict userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://gentoo.mirror.sdv.fr http://ftp.gentoo.skynet.be/pub/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.tiscali.nl/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp.linux.ee/pub/gentoo/distfiles/ http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j 1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X Xaw3d aalib acl acpi adns aim alsa apache2 apm audiofile avi berkdb bidi bitmap-fonts bonobo caps cdr crypt cscope cups curl dga directfb divx4linux doc dvd dvdr emacs emacs-w3 emul-linux-x86 encode esd evo f77 fam fastcgi fbcon fftw flac font-server fortran gb gd gdbm ggi gif ginac gmp gnome gnutls gphoto2 gpm gps gstreamer gtk gtk2 gtkhtml guile icq imagemagick imap imlib ipv6 jabber jack jp2 jpeg junit ladcca lcms ldap leim libg++ libgda libwww lzw lzw-tiff mad maildir matrox mbox mcal memlimit mikmod motif mozilla mpeg msn multilib nas ncurses netcdf nls odbc offensive oggvorbis opengl oscar oss pam pcre pdflib perl pic plotutils png ppds python quicktime readline ruby sasl scanner sdl slang slp snmp speekx speex ssl svg szip tcltk tcpd tetex theora tiff truetype truetype-fonts type1-fonts unicode usb userlocales vhosts videos wmf wxwindows xface xinerama xml xml2 xmms xosd xpm xrandr xv xvid yahoo yaz zlib" Unset: LDFLAGS
From the chkrootkit FAQ (http://www.chkrootkit.org/), number 8: -- chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these? Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs. -- I have to agree with upstream in this case.
.keep files are part of Gentoo system ! So, you always know that they exist, and they shoud be empty. I wonder how can an empty file exploited ???
And .packlist perl files seem quite easy to check: if all filenames included are in the Perl install dir (or man), there is no problem. But I agree that this may be more problematic than .keep files. Note that I never talked about .cvsignore files, which are user files so can't be ignored, imho. I just wanted to talk about .keep and .packlist files, as shown in my request. Sorry if this wasn't clear.
