Date: Sun, 23 Nov 2003 18:01:44 +0100 (CET) From: "Cordula's Web" <cpghost@cordula.ws> To: m.seaman@infracaninophile.co.uk Cc: questions@freebsd.org Subject: Re: Monitoring a file? Message-ID: <200311231701.hANH1ipd098716@fw.farid-hajji.net> In-Reply-To: <20031123103544.GD9494@happy-idiot-talk.infracaninophile.co.uk> (message from Matthew Seaman on Sun, 23 Nov 2003 10:35:44 %2B0000) References: <200311222258.hAMMwApd092388@fw.farid-hajji.net> <16320.5175.69241.145102@jerusalem.litteratus.org> <20031123103544.GD9494@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > A file, let's say, /path/to/a/file, is being modified by
> > > > an unknown process P(u) at random times. Unfortunately,
> > > > the name of the program ran by P(u) is unknown.
> Not a lock as such, but:
>
> # chflags schg /path/to/a/file
>
> should achieve the effect you desire. Although this will cause any
> write on the file to just fail, rather than causing P(u) to block
> waiting for a lock. You could try replacing /path/to/a/file with a
> fifo (see mkfifo(1)), and maybe hang another process on the other end
> of the fifo which can run ps(1) or fstat(1) when a write is detected.
Interesting, but the results were not conclusive.
I've finally found the culprit with a traditional method:
* md5 (binary from an uncompromised machine) on all files
* reinstalling from scratch (not buildworld, but really
installing from FTP)
* md5 again and diff.
/bin/sh and cvsup (!!) were compromised on that machine.
The malicious code was in /usr/src/bin/sh/exec.c:shellexec()
Additionally, cvsup (and perhaps other programs) must have
been corrupt too, because code in /usr/src/bin/sh was never
updated.
Ugh... system clean again at last. :)
Thank you for all your help!
--
Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311231701.hANH1ipd098716>