Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/.keep
/usr/lib/perl5/5.8.2/i386-linux/.packlist
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux/auto/Net/SSLeay/.packlist
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux/auto/XML/Generator/.packlist
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux/auto/XML/Parser/.packlist
/usr/lib/locale/ru_RU/LC_MESSAGES/.keep /lib/.keep
/lib/dev-state/.keep /lib/udev-state/.keep
/usr/lib/php/.registry


Chkrootkit put that out. I don't think it's anything out of the ordinary considering I have perl and php installed on the server but I just wanted to know if anyone else gets similar results when running chkrootkit.

That part of chkrootkit checks for any directory whose name starts with a dot and whose permissions do not allow world read (and maybe execute) access. Basically, it's kind of like virus detection programs' heuristics (at least in theory) -- if someone breaks into your machine and installs a rootkit that the chkrootkit people don't know about, they're likely (I'd say 50/50 chance, but that's a pure guess) to create a hidden directory readable only by them. Or hidden files readable only by them -- that's what some of those results appear to be.

It's no big deal if you know why they're all there.

The stuff under /usr/lib/perl5 is from CPAN.

I think that the various .keep files are there to avoid something (your package manager?) delete the directory that they're in.

The PHP stuff appears normal, but I don't do much with PHP.

Well, I think they're all supposed to be there. I'm running PHP and perl...

Nothing out of the ordinary in /var/log and my IDS didn't have anything to say.

I'm guessing they're supposed to be there.