Mysql hidden processes
Hello folks, When I arrived at work this morning I noticed an oh-so-fun email from cron reporting that chkrootkit had found a hidden process. After a good hour of research (and some replaced binaries, of course) I came to the conclusion that it was a false positive. Although, while searching I did notice that I have nine processes hidden from both ps and readdir, all mysql. Example output follows: /usr/lib/chkrootkit/chkproc -v -v PID 1230(/proc/1230): not in readdir output PID 1230: not in ps output CWD 1230: /var/lib/mysql EXE 1230: /usr/sbin/mysqld ... (report the same for 1231 - 1238) You have 9 process hidden for readdir command You have 9 process hidden for ps command The command `cat /proc/1230/cmdline` outputs: /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock If I shut down mysqld chkproc reports nothing, and interestingly whether or not mysqld running the main chkrootkit doesn't report the nine processes hidden. I did a bit of googling and looking at mysql.com, but I didn't see anything indicating why these processes are hidden from ps and readdir. Does anyone have any insight? mysqld Ver 4.1.10 for pc-linux-gnu on i386 (Source distribution) on Linux 2.6.9 SMP Thanks, -- Chris Wells Web Developer Lumberjack Mordam Music Group, Inc. 5920 American Rd E Toledo, OH 43613 Fry: I must be a robot. Why else would human women refuse to date me? -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Mysql hidden processes
On Friday 04 November 2005 08:06 am, Chris Wells wrote: /usr/lib/chkrootkit/chkproc -v -v PID 1230(/proc/1230): not in readdir output PID 1230: not in ps output CWD 1230: /var/lib/mysql EXE 1230: /usr/sbin/mysqld ... (report the same for 1231 - 1238) You have 9 process hidden for readdir command You have 9 process hidden for ps command The command `cat /proc/1230/cmdline` outputs: /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock Isnt this just nptl showing 1 process instead of 9 because it shared? Just add H to the ps command and you will see them. Jeff pgpOWtrPWgKxg.pgp Description: PGP signature
Re: Mysql hidden processes
Jeff Smelser wrote: On Friday 04 November 2005 08:06 am, Chris Wells wrote: /usr/lib/chkrootkit/chkproc -v -v PID 1230(/proc/1230): not in readdir output PID 1230: not in ps output CWD 1230: /var/lib/mysql EXE 1230: /usr/sbin/mysqld ... (report the same for 1231 - 1238) You have 9 process hidden for readdir command You have 9 process hidden for ps command The command `cat /proc/1230/cmdline` outputs: /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock Isnt this just nptl showing 1 process instead of 9 because it shared? Just add H to the ps command and you will see them. Jeff That's pretty much what I figured, but I couldn't find anything specifically noting that. I just wanted to hear it confirmed from someone else before I completely wrote this off as a (sort of) false-positive from chkrootkit. And yes, as expected, `ps Haux` shows all of them. And `ps aux -L` shows everything with the parent thread listed. Thanks, Chris -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
