port-i386: Re: Chkrootkit 0.44

Subject: Re: Chkrootkit 0.44
To: David Maxwell <david@crlf.net>
From: Adrian Portelli <adrianp@stindustries.net>
List: port-i386
Date: 09/14/2004 16:30:13

"sh -x chkrootkit" gives this on a stock 1.6.2 box (with security patches):

+ [ NetBSD = FreeBSD -o NetBSD = NetBSD -o NetBSD = OpenBSD -a 1 0 -eq 1 ]
[: 0: unexpected operator
+ STATUS=0
+ /usr/bin/strings+ /usr/bin/egrep -a 
vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT
/usr/bin/login

+ return 0
+ STATUS=0
+ [  = t ]
+ echo INFECTED
INFECTED

Problem with the script ?

adrian.

David Maxwell wrote:

> On Tue, 14 Sep 2004, Richard Ibbotson wrote:
> 
>>I ran chkrootkit 0.44 on my i386 based NetBSD 1.62 machine today and 
>>found the following in the resulting logs...
>>
>>Checking `login' ... INFECTED
> 
> 
> Run this - what chkrootkit (0.43) is doing, and tell us the output:
> 
> /usr/bin/strings -a /usr/bin/login | egrep 'vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT'
> 
> Also, tell us whether this is a stock 1.6.2 install, or a netbsd-1-6 cvs
> branch...
> 
> Also run:
> 
> sha1 /usr/bin/login
> 
> and tell us the fingerprint.
>