Ubuntu – chkrootkit shows “tcpd” as INFECTED. Is it a false positive

chkrootkitmalwarerootkitSecuritytcpdump

Scan by chkrootkit shows "tcpd" as being INFECTED.
Although a scan by rkhunter shows ok,(except for regular false positives)

Shall I be worried?
(I'm on Ubuntu 16.10 with 4.8.0-37-generic)

Best Answer

In this Ubuntu Forums post, user kpatz tested this in a fresh 16.10 VM and chkrootkit still complained, making this a false positive. You can always check if a file has been tampered by comparing the md5sum from the package:

$ dpkg -S /usr/sbin/tcpd
tcpd: /usr/sbin/tcpd
$ (cd /; md5sum -c /var/lib/dpkg/info/tcpd.md5sums)
usr/sbin/safe_finger: OK
usr/sbin/tcpd: OK
usr/sbin/tcpdchk: OK
usr/sbin/tcpdmatch: OK
usr/sbin/try-from: OK
usr/share/man/man8/safe_finger.8.gz: OK
usr/share/man/man8/tcpd.8.gz: OK
usr/share/man/man8/tcpdchk.8.gz: OK
usr/share/man/man8/tcpdmatch.8.gz: OK
usr/share/man/man8/try-from.8.gz: OK

Of course, the md5sums file itself maybe tampered, (and so could md5sum itself and so on...).

Related Question