From owner-freebsd-security  Tue Jul 23  0:33: 7 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6EAB737B400
	for <security@freebsd.org>; Tue, 23 Jul 2002 00:33:04 -0700 (PDT)
Received: from finland.ispro.net.tr (finland.ispro.net.tr [217.21.68.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 06ECE43E67
	for <security@freebsd.org>; Tue, 23 Jul 2002 00:33:03 -0700 (PDT)
	(envelope-from yurtesen@ispro.net.tr)
Received: (from root@localhost)
	by finland.ispro.net.tr (8.12.5/8.12.5) id g6N7XFkg086368;
	Tue, 23 Jul 2002 10:33:15 +0300 (EEST)
	(envelope-from yurtesen@ispro.net.tr)
Received: from finland.ispro.net.tr (localhost [127.0.0.1])
	by finland.ispro.net.tr (8.12.5/8.12.5) with ESMTP id g6N7XEcP086360;
	Tue, 23 Jul 2002 10:33:14 +0300 (EEST)
	(envelope-from yurtesen@ispro.net.tr)
Received: from localhost (yurtesen@localhost)
	by finland.ispro.net.tr (8.12.5/8.12.5/Submit) with ESMTP id g6N7XDeK086357;
	Tue, 23 Jul 2002 10:33:13 +0300 (EEST)
X-Authentication-Warning: finland.ispro.net.tr: yurtesen owned process doing -bs
Date: Tue, 23 Jul 2002 10:33:13 +0300 (EEST)
From: Evren Yurtesen <yurtesen@ispro.net.tr>
To: Brett Glass <brett@lariat.org>
Cc: security@freebsd.org
Subject: Re: "Text file busy"
In-Reply-To: <4.3.2.7.2.20020723002551.02245100@localhost>
Message-ID: <20020723103201.M86108-100000@finland.ispro.net.tr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by IsproNET +90-232-2463992
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

if a program is running and locked the file.
I believe you can see which file is open by which process
with fstat command


On Tue, 23 Jul 2002, Brett Glass wrote:

> A FreeBSD server belonging to a client of mine has begun to report "Text
> file busy" in response to common commands. I can't see anything unusual
> on the surface, but am concerned that the server may have been
> compromised anyway (a rootkit could have been installed) and that this is
> a symptom. What mechanism generates this message? And does it suggest
> that the machine may have been rooted?
>
> --Brett Glass
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message