From owner-freebsd-security Thu Oct 7 10:56:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 50536157D4 for ; Thu, 7 Oct 1999 10:56:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA23500 for ; Thu, 7 Oct 1999 11:55:22 -0600 (MDT) Message-Id: <4.2.0.58.19991007104520.043fbbb0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 07 Oct 1999 10:55:34 -0600 To: security@freebsd.org From: Brett Glass Subject: Random malfunction or hack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of our servers, which runs FreeBSD, began to post a log message every five minutes indicating that a cron job had bombed. They looked like this: > pid 713 (cron), uid 0: exited on signal 10 > pid 712 (cron), uid 0: exited on signal 10 > pid 718 (cron), uid 0: exited on signal 10 > pid 721 (cron), uid 0: exited on signal 10 > pid 724 (cron), uid 0: exited on signal 10 > pid 727 (cron), uid 0: exited on signal 10 > pid 731 (cron), uid 0: exited on signal 10 The problem vanished when the system was rebooted. The only thing in the standard /etc/crontab for FreeBSD which runs every five minutes is /usr/libexec/atrun, which works with the "at" command. Are there any known exploits or rootkits that might cause "at" to bomb regularly like this? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message