This is a well-known issue, and is mentioned in /usr/share/doc/chkrootkit/README.FALSE-POSITIVES and in the upstream FAQ: http://www.chkrootkit.org/faq/#8
Simply put, chkrootkit should not contain a whitelist of acceptable dotfiles by default, as a rootkit could simply use the files listed in the whitelist as known good hiding places.
That being said, the newer Debian/Ubuntu packages contain a patch that adds a "-e" option that lets administrators add their own whitelist. I think this is a reasonable idea and it should be included in the hardy package so chkrootkit can be used by system admins without constantly getting false positives.
This is a well-known issue, and is mentioned in /usr/share/ doc/chkrootkit/ README. FALSE-POSITIVES and in the upstream FAQ: http:// www.chkrootkit. org/faq/ #8
Simply put, chkrootkit should not contain a whitelist of acceptable dotfiles by default, as a rootkit could simply use the files listed in the whitelist as known good hiding places.
That being said, the newer Debian/Ubuntu packages contain a patch that adds a "-e" option that lets administrators add their own whitelist. I think this is a reasonable idea and it should be included in the hardy package so chkrootkit can be used by system admins without constantly getting false positives.