From owner-freebsd-security Thu Oct 7 11: 2:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from ruby.internal.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 468C815304 for ; Thu, 7 Oct 1999 11:02:31 -0700 (PDT) (envelope-from bsdx@looksharp.net) Received: from localhost (bsdx@localhost) by ruby.internal.looksharp.net (8.9.3/8.9.1) with SMTP id OAA08031; Thu, 7 Oct 1999 14:01:00 -0400 (EDT) (envelope-from bsdx@looksharp.net) Date: Thu, 7 Oct 1999 14:00:59 -0400 (EDT) From: Adam X-Sender: bsdx@ruby To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Random malfunction or hack? In-Reply-To: <4.2.0.58.19991007104520.043fbbb0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What version of FreeBSD? Do you think you might have run low or out of swap just before these messages started appearing? Killing cron and restarting it probably would have done the trick. On Thu, 7 Oct 1999, Brett Glass wrote: >One of our servers, which runs FreeBSD, began to post a log message every >five minutes indicating that a cron job had bombed. They looked like this: > > > pid 713 (cron), uid 0: exited on signal 10 > > pid 712 (cron), uid 0: exited on signal 10 > > pid 718 (cron), uid 0: exited on signal 10 > > pid 721 (cron), uid 0: exited on signal 10 > > pid 724 (cron), uid 0: exited on signal 10 > > pid 727 (cron), uid 0: exited on signal 10 > > pid 731 (cron), uid 0: exited on signal 10 > >The problem vanished when the system was rebooted. > >The only thing in the standard /etc/crontab for FreeBSD which runs every >five minutes is /usr/libexec/atrun, which works with the "at" command. > >Are there any known exploits or rootkits that might cause "at" to bomb >regularly like this? > >--Brett Glass > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message