Date: Fri, 16 May 2003 00:06:43 +1000 From: Greg Lane <greg.lane@internode.on.net> To: Jason Stewart <jstewart@rtl.org> Cc: freebsd-questions@freebsd.org Subject: Re: chkrootkit: LKM trojan(?) and strange cron behaviour Message-ID: <20030515140643.GA82883@localhost.bigpond.net.au> In-Reply-To: <1053001595.9888.38.camel@mis3c> References: <20030513104721.GA24990@localhost.bigpond.net.au> <1052829803.4622.18.camel@mis3c> <20030515004536.GA79264@localhost.bigpond.net.au> <1053001595.9888.38.camel@mis3c>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 15, 2003 at 08:26:35AM -0400, Jason Stewart <jstewart@rtl.org> wrote: > > > The thing that concerned me most was the fact that it happened near > > when cron decided to stop working. Have you (or anyone else > > for that matter) seen cron just stop like that? The process was > > there, but doing nothing. Again, a search of the lists got me a few hits > > but nothing obvious and nothing recent. > > Did you search for a core file? Cron may have dumped core for some > reason or the other. You could do a backtrace with GDB and try to see > what caused it to die. Hi Jason, Actually I didn't search for a core file because the process was still there, that is, the output of ps -aux showed both cron processes (normal and jailed) still present. A process can't dump core and hang around can it? The cron process in the jail was still active. I ssh'ed into the jail and made a couple of new crontab entries which happily ran. However, the main cron process ignored updates to any users crontab. I think I'll leave cron dying as one of life's little mysteries... I did a bit more googling for chkrootkit/lkm while including apache in the search criteria and found a few threads describing how process creation/destruction can give lkm false alarms, just as you described. So I'm happy with that. It seems pretty certain I wasn't rooted, but just for fun and just in case, I updated the box to todays stable this afternoon, and copied new versions of the /etc/rc and /usr/local/etc/rc.d scripts over. Thanks for your help! Cheers, Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030515140643.GA82883>