One thing to be wary of is the number of false-positives coming from chkrootkit. It seems to alert for just about every .* directory it can find on the system, including bits of JDK, volatile tmpfs, and is subject to race-conditions falsely complaining about “hidden” processes when all that’s happened is a few have died since it compared lists. Processes in detached screen sessions seem to show up based on their ttys not being found in utmp. It seems to think my init is `INFECTED’ which is complete hokum. All this because it’s a kludged-up load of shell-scripts relying on grep for ill-defined regexp-matches.
So. I’m with rkhunter - it’s far more intelligent in operation, doing things like checking for changes in passwd and root-equivalent users between runs, for example. I can and do run both on all dozen-or-more debian boxes, but I take rkhunter far more seriously and only look for *changes* in output from chkrootkit.