From owner-freebsd-questions@FreeBSD.ORG Thu May 15 05:26:54 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6521737B401 for ; Thu, 15 May 2003 05:26:54 -0700 (PDT) Received: from webserver2.rtl.org (rtl-3.i2k.com [63.94.12.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id C509F43FB1 for ; Thu, 15 May 2003 05:26:52 -0700 (PDT) (envelope-from jstewart@rtl.org) Received: from mis3c.rtl.lan (rtl-2.i2k.com [63.94.12.206]) by webserver2.rtl.org (8.11.6/8.11.6) with ESMTP id h4FCP6j16752; Thu, 15 May 2003 08:25:06 -0400 From: Jason Stewart To: greg.lane@internode.on.net In-Reply-To: <20030515004536.GA79264@localhost.bigpond.net.au> References: <20030513104721.GA24990@localhost.bigpond.net.au> <1052829803.4622.18.camel@mis3c> <20030515004536.GA79264@localhost.bigpond.net.au> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 (1.0.8-11) Date: 15 May 2003 08:26:35 -0400 Message-Id: <1053001595.9888.38.camel@mis3c> Mime-Version: 1.0 cc: freebsd-questions@freebsd.org Subject: Re: chkrootkit: LKM trojan(?) and strange cron behaviour X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 12:26:54 -0000 > Hi Jason, > > Sorry for the delay in replying. I had to prepare a couple of lectures > over the last two days. > > I am glad someone else has at least seen this before. I found > virtually nothing when I went searching the lists. > I presume that this has something to do with apache > spawning processes in the middle of chkrootkit running? > I don't really know though. (My web site is hardly very active!) Yes, I believe that this is precisely the reason for the false alarm. I've read something on usenet about just that scenario about 6 months ago. > The thing that concerned me most was the fact that it happened near > when cron decided to stop working. Have you (or anyone else > for that matter) seen cron just stop like that? The process was > there, but doing nothing. Again, a search of the lists got me a few hits > but nothing obvious and nothing recent. Did you search for a core file? Cron may have dumped core for some reason or the other. You could do a backtrace with GDB and try to see what caused it to die. Cheers, Jason