I got the same thing - on an isolated system that I was pretty sure hadn't been compromised during the upgrade. I haven't made the time to check why the following line returns true:
Code:
if ${CMD} -l -u nobody >/dev/null 2>&1
I'm not worried since according to
http://vil.nai.com/vil/content/v_136821.htm, Lupper affects web servers running vulnerable scripts and my web server runs as apache, not nobody. Until I do I've added the following to the chkrootkit cron job on the box and they always confirm that the users do not have a crontab and it's a false positive:
Code:
/usr/bin/crontab -l -u apache 2>&1
/usr/bin/crontab -l -u nobody 2>&1
The code from chkrootkit looks like it's supposed to add the value of the STATUS variable (infected or not) to that message. It could be as simple as the not infected state is not being written to the variable.