I installed security/rkhunter with security/nmap support, and it kept showing TCP ports 1524, 6667, and 31337 as possible ports where a rootkit could have interacted. Running
sockstat
showed security/portsentry interacting with those ports on a freshly installed system. No known rootkits were detected, but It seems like portsentry triggered a false positive on those tcp ports interactions. Any opinions about dismissing what seems to be likely false-positives. I realize that hidden malware would like someone to dismiss it or be undetected.