On my Debian Etch server I’ve got Zimbra Open Source Edition mail solution installed and when I use chkrootkit to scan for rootkits it reports the following
Checking `bindshell'... INFECTED (PORTS: 465)
After a quick research I realized that this port 465 is SMTP over SSL on a Zimbra installation.
Further investigation reveals that port 465 is run by
# fuser -vn tcp 465 USER PID ACCESS COMMAND 465/tcp: root 19053 F.... master
And then I checked pid 19053
# ps aux|grep 19053 root 19053 0.0 0.2 6628 1236 ? Ss Feb09 0:00 /opt/zimbra/postfix-18.104.22.168z/libexec/master
This tells me that the postfix daemon is running on port 465 and obviously chkrootkit is giving me a false positive.