chkrootkit-0.44 netstat cmd infected ?

Jean-Charles Passard jcharles at
Sat Nov 6 03:00:53 PST 2004

Pierre a écrit :

> Hi
> I've been using several versions of home made linux box LFS based for 
> a while now. I've been recently hacked, and after a chrootkit check 
> i've noticed that all version of LFS (latest and earlier) seems to 
> have an infected NETSTAT cmd after a chrootkit check. Does anyone have 
> remarked this before ?
> regards
> Pierre

Hello pierre,

This comportement is normal,  your netstat is not stripped. Then addr.h 
is present in debugging symbol, that make rootkit to react like if that  
binary has just be compiled an thinking is a hack version.
Just stripp it and the rootkit warning will disappear :)


More information about the lfs-support mailing list