Date: Tue, 23 Jul 2002 17:04:24 +1000 From: Tony Landells <ahl@austclear.com.au> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: "Text file busy" Message-ID: <200207230704.RAA19147@tungsten.austclear.com.au> In-Reply-To: Message from Brett Glass <brett@lariat.org> of "Tue, 23 Jul 2002 00:27:58 CST." <4.3.2.7.2.20020723002551.02245100@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
brett@lariat.org said: > A FreeBSD server belonging to a client of mine has begun to report > "Text file busy" in response to common commands. I can't see anything > unusual on the surface, but am concerned that the server may have > been compromised anyway (a rootkit could have been installed) and > that this is a symptom. What mechanism generates this message? And > does it suggest that the machine may have been rooted? The most likely source of this is attempting to change an executable while it's running: # cp /bin/sleep /tmp # /tmp/sleep 60 & [1] 34527 # cp /dev/null /tmp/sleep cp: /tmp/sleep: Text file busy # kill -ALRM 34527 [1] Alarm clock /tmp/sleep 60 # cp /dev/null /tmp/sleep # I'm sure there are probably other occasions where this comes up, but that's the one I've seen... Just doing a quick search through section 2 of the manual: access(2) [ETXTBSY] Write access is requested for a pure procedure (shared text) file presently being executed. execve(2) [ETXTBSY] The new process file is a pure procedure (shared text) that is currently open for writing or reading by some process. open(2) [ETXTBSY] The file is a pure procedure (shared text) file that is being executed and the open() call requests write access. truncate(2) [ETXTBSY] The file is a pure procedure (shared text) file that is being executed. Which all say pretty much the same thing--you can't write something being executed, and you can't execute something that's open (assuming in both cases that it's a shared text file). Without knowing what's running on the system it's difficult to say whether it's an attack, but I've certainly never seen it coming up often. Probably ps and fstat (or doing some tracing with ktrace) are your best bets for working out what's going on. Tony -- Tony Landells <ahl@austclear.com.au> Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207230704.RAA19147>