FreeBSD Version: FreeBSD 4.9-STABLE #2
Platform: x86
I recently ran chkrootkit and it complained about processes that were in
ps but not in /proc. Usually these are just transient processed but in
this case I investigated and found something weird.
Here's a sample output:
PID 11252: not in readdir output
PID 11253: not in readdir output
PID 11254: not in readdir output
Strangely, ls shows something different
[56] ls /proc | grep 1125
11252
Even more strangely, which processes are implicated moves around,
but they always claim to be running out of /etc/periodic,
e.g.
root 11252 0.0 0.0 672 176 ?? I 10Dec04 0:00.00 /bin/sh -
/usr/sbin/periodic security
root 11253 0.0 0.0 648 168 ?? I 10Dec04 0:00.00 /bin/sh -
/usr/sbin/periodic security
root 11254 0.0 0.0 648 168 ?? I 10Dec04 0:00.00 /bin/sh -
/etc/periodic/security/100.chksetuid
Note the old dates here: I've got a filesystem on a removable drive
that didn't detach cleanly and now some attempts to grovel through
the filesystem tables (e.g. df) hang badly. I can obviously reboot
to clear this error but I wondered if there was any more investigation
I should do before I destroy the "evidence".
Does this look familiar to anyone?
Thanks,
-Ekr
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
