Re: chkrootkit message

To: debian-user@lists.debian.org
Subject: Re: chkrootkit message
From: Brian <ad44@cityscape.co.uk>
Date: Mon, 23 Jun 2014 19:28:15 +0100
Message-id: <[🔎] 20140623182815.GH29355@copernicus.demon.co.uk>
In-reply-to: <[🔎] 20140623155614.GA14580@x101h>
References: <[🔎] 53A7DF52.6080603@mi.parisdescartes.fr> <[🔎] 20140623155614.GA14580@x101h>

On Mon 23 Jun 2014 at 19:56:15 +0400, Reco wrote:

> On Mon, Jun 23, 2014 at 10:03:30AM +0200, François Patte wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Bonjour,
> > 
> > I get this alert message (concerning lightdm) from chkrootkit
> > 
> > ! RUID          PID TTY    CMD
> > ! root         3153 tty7   /usr/bin/X :0 -seat seat0 -auth
> > /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
> > 
> > What does it mean?
> 
> A false positive. See this, for example:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677315

There is no well-documented case of chrootkit ever giving a true
positive; false positives are its stock in trade. What do you expect of
a program which searches for things which do not exist or which have no
relevance (if they ever had) on a modern Linux?

Clapping loudly is very effective at keeping elephants out of my garden. :)
What use is chkrootkit?

(Yes, I know it doesn't answer the question, but my response could lead
to a mass purging of chkrootkit from users' systems :) ).

Reply to:

Follow-Ups:
- Re: chkrootkit message
  - From: Reco <recoverym4n@gmail.com>
- Re: chkrootkit message
  - From: Darac Marjal <mailinglist@darac.org.uk>

References:
- chkrootkit message
  - From: François Patte <francois.patte@mi.parisdescartes.fr>
- Re: chkrootkit message
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: apt-get issues with download speed and server access
Next by Date: Re: Progress on my new Debian box
Previous by thread: Re: chkrootkit message
Next by thread: Re: chkrootkit message
Index(es):
- Date
- Thread