From owner-freebsd-security  Thu Dec 13  2:52:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from raven.robbins.dropbear.id.au (013.b.007.mel.iprimus.net.au [210.50.81.13])
	by hub.freebsd.org (Postfix) with ESMTP id E23BA37B416
	for <security@FreeBSD.ORG>; Thu, 13 Dec 2001 02:52:07 -0800 (PST)
Received: (from tim@localhost)
	by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBDAfYx04423
	for security@FreeBSD.ORG; Thu, 13 Dec 2001 21:41:34 +1100 (EST)
	(envelope-from tim)
Date: Thu, 13 Dec 2001 21:41:33 +1100
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: security@FreeBSD.ORG
Subject: Re: (sh), uid 0: core dumped on signal 12
Message-ID: <20011213214133.A4397@raven.robbins.dropbear.id.au>
References: <5.0.2.1.2.20011213123508.01785db8@nol.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.0.2.1.2.20011213123508.01785db8@nol.co.za>; from tim@nol.co.za on Thu, Dec 13, 2001 at 12:36:03PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Dec 13, 2001 at 12:36:03PM +0200, Timothy S. Bowers wrote:

> I get the following messages a few times then the PC just reboots:
> 
> /kernel: pid 28998 (sh), uid 0: exited on signal 12 (core dumped)
> /kernel: pid 29356 (sh), uid 0: exited on signal 12
> /kernel: pid 29357 (sh), uid 0: exited on signal 12

#define SIGSYS          12      /* non-existent system call invoked */

You might want to check that whatever `sh' (presumably /bin/sh) that causes
these errors is for the right OS release and that it hasn't become corrupted
somehow. Check that userland and the kernel are in sync.

> Is this a sign that someone is running an exploit on me?

It could be that the machine is compromised and a rootkit used which has
damaged /bin/sh. Just a guess.

> How can I find out what the cause of this is?

Check the things I mentioned above. truss, ktrace, and checking out the core
file with gdb may help.


Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message