Subject: pkg/31813: pkgsrc chkrootkit reports login INFECTED
To: None <,,>
From: None <>
List: pkgsrc-bugs
Date: 10/14/2005 15:09:10
>Number:         31813
>Category:       pkg
>Synopsis:       chkrootkit reports login INFECTED
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 14 15:09:10 +0000 2005
>Originator:     Eric Mumpower
>Release:        NetBSD 2.0.2 / pkgsrc -current
System: NetBSD ablative 2.0.2 NetBSD 2.0.2 (ABLATIVE) #7: Mon Jul 11 16:23:34 EDT 2005 root@new-ablative:/usr/src/sys/arch/i386/compile/ABLATIVE i386
Architecture: i386
Machine: i386


The latest version of chkrootkit in pkgsrc reports that 'login' is
INFECTED on NetBSD 2.0.2. The sha1 signature of the binary in question:
  SHA1 (/usr/bin/login) = e77134fd6b8d8d133a4a5732795829ce3d74521f

I retreived
onto an unrelated system and confirmed on that system: both that the
sha1 sum of the stock login binary matches mine, and that the
triggering string is present.

Rather than assume NetBSD is distributing infected binaries, I'm going
to assume chkrootkit is reporting a false positive, and report it
here. :-)

In particular, this command finds a match using either system:

  $ strings ./usr/bin/login | egrep -c "^root$"

This test occurs in the following line of chkrootkit:chk_login():
  ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`


Build and install chkrootkit package from latest pkgsrc, on NetBSD
2.0.2 system. Then:
  bash-2.05b# /usr/pkg/bin/chkrootkit -q
  Checking `login'... INFECTED


Assuming this is in fact not a problem, I would assume the chkrootkit
script should be patched to not perform that test on NetBSD.