chkrootkit: LKM trojan(?) and strange cron behaviour
Greg Lane
greg.lane at internode.on.net
Thu May 15 07:06:48 PDT 2003
On Thu, May 15, 2003 at 08:26:35AM -0400, Jason Stewart <jstewart at rtl.org> wrote:
>
> > The thing that concerned me most was the fact that it happened near
> > when cron decided to stop working. Have you (or anyone else
> > for that matter) seen cron just stop like that? The process was
> > there, but doing nothing. Again, a search of the lists got me a few hits
> > but nothing obvious and nothing recent.
>
> Did you search for a core file? Cron may have dumped core for some
> reason or the other. You could do a backtrace with GDB and try to see
> what caused it to die.
Hi Jason,
Actually I didn't search for a core file because the process was still
there, that is, the output of ps -aux showed both cron processes
(normal and jailed) still present. A process can't dump core and
hang around can it?
The cron process in the jail was still active. I ssh'ed into the
jail and made a couple of new crontab entries which happily ran.
However, the main cron process ignored updates to any users crontab.
I think I'll leave cron dying as one of life's little mysteries...
I did a bit more googling for chkrootkit/lkm while including apache
in the search criteria and found a few threads describing how
process creation/destruction can give lkm false alarms, just as
you described. So I'm happy with that.
It seems pretty certain I wasn't rooted, but just for fun and just
in case, I updated the box to todays stable this afternoon, and
copied new versions of the /etc/rc and /usr/local/etc/rc.d scripts over.
Thanks for your help!
Cheers,
Greg
More information about the freebsd-questions
mailing list