chkrootkit-0.44 netstat cmd infected ?

Laurens Blankers laurens.blankers at
Sat Nov 6 02:54:54 PST 2004

> I've been recently hacked, and after a chrootkit check i've
> noticed that all version of LFS (latest and earlier) seems to have an
> infected NETSTAT cmd after a chrootkit check.

If I recall correctly, chrootkit is flagging netstat as infected
because it contains debug symbols. This is a bug in chrootkit, but if
you want to be sure, run:

strip /usr/bin/netstat

which will remove the debug symbols. And re-run chrootkit, if netstat
still gets flagged it is truelly infected.


More information about the lfs-support mailing list