From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 18 17:06:32 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB93C16A4CE
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Dec 2004 17:06:32 +0000 (GMT)
Received: from sierra.rtfm.com (sierra.rtfm.com [198.144.203.251])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4FD5343D53
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Dec 2004 17:06:32 +0000 (GMT)	(envelope-from ekr@rtfm.com)
Received: from rtfm.com (romeo.rtfm.com [198.144.203.242])
	by sierra.rtfm.com (Postfix) with ESMTP id 42DC971D2
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Dec 2004 09:29:27 -0800 (PST)
To: freebsd-questions@freebsd.org
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 15)
Date: Sat, 18 Dec 2004 09:06:29 -0800
From: Eric Rescorla <ekr@rtfm.com>
Message-Id: <20041218172927.42DC971D2@sierra.rtfm.com>
Subject: Missing /etc/periodic.daily processes in /proc
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Dec 2004 17:06:32 -0000

FreeBSD Version:	FreeBSD 4.9-STABLE #2
Platform:		x86

I recently ran chkrootkit and it complained about processes that were in
ps but not in /proc. Usually these are just transient processed but in
this case I investigated and found something weird.

Here's a sample output:
       PID 11252: not in readdir output
       PID 11253: not in readdir output
       PID 11254: not in readdir output

Strangely, ls shows something different
       [56] ls /proc | grep 1125
       11252

Even more strangely, which processes are implicated moves around,
but they always claim to be running out of /etc/periodic,
e.g. 
root    11252  0.0  0.0   672  176  ??  I    10Dec04   0:00.00 /bin/sh - /usr/sbin/periodic security
root    11253  0.0  0.0   648  168  ??  I    10Dec04   0:00.00 /bin/sh - /usr/sbin/periodic security
root    11254  0.0  0.0   648  168  ??  I    10Dec04   0:00.00 /bin/sh - /etc/periodic/security/100.chksetuid


Note the old dates here: I've got a filesystem on a removable drive
that didn't detach cleanly and now some attempts to grovel through
the filesystem tables (e.g. df) hang badly. I can obviously reboot
to clear this error but I wondered if there was any more investigation
I should do before I destroy the "evidence".

Does this look familiar to anyone?

Thanks,
-Ekr