From owner-freebsd-questions@FreeBSD.ORG Thu May 15 07:06:47 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF1E937B401 for ; Thu, 15 May 2003 07:06:47 -0700 (PDT) Received: from smtp0.adl1.internode.on.net (smtp0.adl1.internode.on.net [203.16.214.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B02BA43FA3 for ; Thu, 15 May 2003 07:06:46 -0700 (PDT) (envelope-from greg.lane@internode.on.net) Received: from router.lane.family (ppp80.act.padsl.internode.on.net [150.101.200.79])h4FE6iMO066603; Thu, 15 May 2003 23:36:45 +0930 (CST) Received: from router.lane.family (localhost [127.0.0.1]) by router.lane.family (8.12.9/8.12.9) with ESMTP id h4FE6ilC024768; Fri, 16 May 2003 00:06:44 +1000 (EST) (envelope-from glane@router.lane.family) Received: (from glane@localhost) by router.lane.family (8.12.9/8.12.9/Submit) id h4FE6if6024764; Fri, 16 May 2003 00:06:44 +1000 (EST) Date: Fri, 16 May 2003 00:06:43 +1000 From: Greg Lane To: Jason Stewart Message-ID: <20030515140643.GA82883@localhost.bigpond.net.au> References: <20030513104721.GA24990@localhost.bigpond.net.au> <1052829803.4622.18.camel@mis3c> <20030515004536.GA79264@localhost.bigpond.net.au> <1053001595.9888.38.camel@mis3c> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1053001595.9888.38.camel@mis3c> User-Agent: Mutt/1.4.1i cc: freebsd-questions@freebsd.org Subject: Re: chkrootkit: LKM trojan(?) and strange cron behaviour X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.lane@internode.on.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 14:06:48 -0000 On Thu, May 15, 2003 at 08:26:35AM -0400, Jason Stewart wrote: > > > The thing that concerned me most was the fact that it happened near > > when cron decided to stop working. Have you (or anyone else > > for that matter) seen cron just stop like that? The process was > > there, but doing nothing. Again, a search of the lists got me a few hits > > but nothing obvious and nothing recent. > > Did you search for a core file? Cron may have dumped core for some > reason or the other. You could do a backtrace with GDB and try to see > what caused it to die. Hi Jason, Actually I didn't search for a core file because the process was still there, that is, the output of ps -aux showed both cron processes (normal and jailed) still present. A process can't dump core and hang around can it? The cron process in the jail was still active. I ssh'ed into the jail and made a couple of new crontab entries which happily ran. However, the main cron process ignored updates to any users crontab. I think I'll leave cron dying as one of life's little mysteries... I did a bit more googling for chkrootkit/lkm while including apache in the search criteria and found a few threads describing how process creation/destruction can give lkm false alarms, just as you described. So I'm happy with that. It seems pretty certain I wasn't rooted, but just for fun and just in case, I updated the box to todays stable this afternoon, and copied new versions of the /etc/rc and /usr/local/etc/rc.d scripts over. Thanks for your help! Cheers, Greg