Comment 27 for bug 454566

In most major new distros (including redhat and ubuntu) "strings /sbin/init | grep HOME" returns:
XDG_CACHE_HOME
XDG_CONFIG_HOME

which still triggers an alert (false positive) for suckit rootkit in 14.04.

I checked the suckit source, and it gives:
sk2rc2$ strings ./src/sk | grep HOME
HOME=%s

So it means if we include = into the check, we will correctly detect it.

On line 1000 of chkrootkit it says:

   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \
              cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        echo "Warning: ${ROOTDIR}sbin/init INFECTED"

-----------
I sugest changing line 1003 from:
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \
to:
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} 'HOME=' || \

and line 541 should also be changed from:
    expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep HOME"
to
    expertmode_output="${strings} ${ROOTDIR}sbin/init | ${egrep 'HOME='"