False positive of chkrootkit or hacked?

[John Doe <security.department () tele2 ch>]

Hi all

(I think it's not a chkrootkit specific question... sorry if I see this wrong)

This morning I realized following warnings of chkrootkit 0.44 in mails sent by 
cron:

at 2005-4-14, 2005-4-15 and 2005-4-17:
   You have     5 process hidden for readdir command
   You have     5 process hidden for ps command
   Warning: Possible LKM Trojan installed

and at 2005-4-16:
   You have     1 process hidden for ps command
   Warning: Possible LKM Trojan installed

Months before as well as until today, no such warnings.

==

I think - but am not sure, thus my question to this list - these are false 
positives, and I like to know your opinion about that.

==

I have following reasons to think of false positives:

[+] http://www.chkrootkit.org/faq/, 6.: 
   "If you run chkproc on a server that runs lots of short time processes it 
could report some false positives. chkproc compares the ps output with 
the /proc contents. If processes are created/killed during this operation 
chkproc could point out these PIDs as suspicious."

[++] I run a _static_ kernel (gentoo 2.4.28-hardened-r5)

[++] I install patches on a daily basis (with some exceptions when absent) 
after tests on a local test box, so the system should be actual

[+] no shell/ssh/... access by others

[+] It's a server with a small amount of software/services
   (a)
   127.0.0.1:3306 (mysql)
   127.0.0.1:110
   127.0.0.1:9999  (backend apache)
   [ip1]:80 (frontend apache) [3]
   127.0.0.1:8082  (backend apache)
   127.0.0.1:8083  (backend apache)
   [ip1]:53 ("hidden" bind9) [1]
   127.0.0.1:53 
   127.0.0.1:8888  (backend apache)
   127.0.0.1:953
   [ip1]:25 (postfix, public)
   127.0.0.1:25 
   [ip2]:443
   [ip1]:[highport] (ssh2) [2]
[1] accessible only from slave DNSs (by config/firewall)
[2] no ip restrictions, only pubkeyauth
[3] serving "only" a mod_perl app (via backend) and static pages; no php, cgi 
etc.

[++] cron restarts, just before running chkrootkit, a apache mod_perl 
application which takes, when havily used, several seconds to restart. At the 
time of the chrootkit warnings, it was actually heavily used during the day.
Additionally, there are 5 apache backend processes started (coincidence with 
the 5 hidden processes mentioned by chkrootkit)

==

On the other side,
[-] tripwire runs, but...  *shameonme*
[-] all services on a single server, including firewall, due to budget

==

Any comments on the probability of beeing hacked (and others, of course) are 
very appreciated, thanks in advance!

joe