Date: 15 May 2003 08:26:35 -0400 From: Jason Stewart <jstewart@rtl.org> To: greg.lane@internode.on.net Cc: freebsd-questions@freebsd.org Subject: Re: chkrootkit: LKM trojan(?) and strange cron behaviour Message-ID: <1053001595.9888.38.camel@mis3c> In-Reply-To: <20030515004536.GA79264@localhost.bigpond.net.au> References: <20030513104721.GA24990@localhost.bigpond.net.au> <1052829803.4622.18.camel@mis3c> <20030515004536.GA79264@localhost.bigpond.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi Jason, > > Sorry for the delay in replying. I had to prepare a couple of lectures > over the last two days. > > I am glad someone else has at least seen this before. I found > virtually nothing when I went searching the lists. > I presume that this has something to do with apache > spawning processes in the middle of chkrootkit running? > I don't really know though. (My web site is hardly very active!) Yes, I believe that this is precisely the reason for the false alarm. I've read something on usenet about just that scenario about 6 months ago. > The thing that concerned me most was the fact that it happened near > when cron decided to stop working. Have you (or anyone else > for that matter) seen cron just stop like that? The process was > there, but doing nothing. Again, a search of the lists got me a few hits > but nothing obvious and nothing recent. Did you search for a core file? Cron may have dumped core for some reason or the other. You could do a backtrace with GDB and try to see what caused it to die. Cheers, Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1053001595.9888.38.camel>