Subject: Re: Chkrootkit 0.44
To: Richard Ibbotson <richard@sheflug.co.uk>
From: David Maxwell <david@crlf.net>
List: port-i386
Date: 09/14/2004 11:16:14
On Tue, 14 Sep 2004, Richard Ibbotson wrote:
> I ran chkrootkit 0.44 on my i386 based NetBSD 1.62 machine today and 
> found the following in the resulting logs...
> 
> Checking `login' ... INFECTED

Run this - what chkrootkit (0.43) is doing, and tell us the output:

/usr/bin/strings -a /usr/bin/login | egrep 'vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT'

Also, tell us whether this is a stock 1.6.2 install, or a netbsd-1-6 cvs
branch...

Also run:

sha1 /usr/bin/login

and tell us the fingerprint.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Unless you have a solution
when you tell them things like that, most people collapse into a gibbering, 
unthinking mass.  This is the same reason why you probably don't tell your 
boss about everything you read on BugTraq!    - Signal 11