From owner-freebsd-questions@FreeBSD.ORG Sun Nov 23 09:02:40 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43C3C16A4CE for ; Sun, 23 Nov 2003 09:02:40 -0800 (PST) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1C7243F85 for ; Sun, 23 Nov 2003 09:02:35 -0800 (PST) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (localhost [127.0.0.1]) by fw.farid-hajji.net (8.12.10/8.12.10) with ESMTP id hANH1ipd098716; Sun, 23 Nov 2003 18:01:57 +0100 (CET) (envelope-from cpghost@cordula.ws) Date: Sun, 23 Nov 2003 18:01:44 +0100 (CET) Message-Id: <200311231701.hANH1ipd098716@fw.farid-hajji.net> From: "Cordula's Web" To: m.seaman@infracaninophile.co.uk In-reply-to: <20031123103544.GD9494@happy-idiot-talk.infracaninophile.co.uk> (message from Matthew Seaman on Sun, 23 Nov 2003 10:35:44 +0000) X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE References: <200311222258.hAMMwApd092388@fw.farid-hajji.net> <16320.5175.69241.145102@jerusalem.litteratus.org> <20031123103544.GD9494@happy-idiot-talk.infracaninophile.co.uk> cc: roberthuff@rcn.com cc: questions@freebsd.org Subject: Re: Monitoring a file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cpghost@cordula.ws List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2003 17:02:40 -0000 > > > > A file, let's say, /path/to/a/file, is being modified by > > > > an unknown process P(u) at random times. Unfortunately, > > > > the name of the program ran by P(u) is unknown. > Not a lock as such, but: > > # chflags schg /path/to/a/file > > should achieve the effect you desire. Although this will cause any > write on the file to just fail, rather than causing P(u) to block > waiting for a lock. You could try replacing /path/to/a/file with a > fifo (see mkfifo(1)), and maybe hang another process on the other end > of the fifo which can run ps(1) or fstat(1) when a write is detected. Interesting, but the results were not conclusive. I've finally found the culprit with a traditional method: * md5 (binary from an uncompromised machine) on all files * reinstalling from scratch (not buildworld, but really installing from FTP) * md5 again and diff. /bin/sh and cvsup (!!) were compromised on that machine. The malicious code was in /usr/src/bin/sh/exec.c:shellexec() Additionally, cvsup (and perhaps other programs) must have been corrupt too, because code in /usr/src/bin/sh was never updated. Ugh... system clean again at last. :) Thank you for all your help! -- Cordula's Web. http://www.cordula.ws/