On Tue, 14 Sep 2004, Richard Ibbotson wrote:
> > > I ran chkrootkit 0.44 on my i386 based NetBSD 1.62 machine today and 
> > > found the following in the resulting logs...
> > > 
> > > Checking `login' ... INFECTED
> > 
> > Run this - what chkrootkit (0.43) is doing, and tell us the output:
> > 
> > /usr/bin/strings -a /usr/bin/login | egrep 'vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT'
>    ^^^^^^^^^^  ^^^^^^^^^^^^^^^^^^^            ^^^^^
> Nothing came back from this at all.

Yes, so the test strings aren't in there. The script is broken.

> SHA1 (/usr/bin/login) = f6232dee29741600fa2ccf223794383665f19263

That's the correct value for 1.6.2

From another message:
> On Tue, 14 Sep 2004, Adrian Portelli wrote:
> > "sh -x chkrootkit" gives this on a stock 1.6.2 box (with security patches):
> >
> > + [ NetBSD = FreeBSD -o NetBSD = NetBSD -o NetBSD = OpenBSD -a 1 0 -eq 1 ]
> Yup. That's not a valid expression.

So, chkrootkit 0.44 is building up a shell script with a faulty 'if'
statement which is causing the message.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me