Missing /etc/periodic.daily processes in /proc
Eric Rescorla
ekr at rtfm.com
Sat Dec 18 09:06:32 PST 2004
FreeBSD Version: FreeBSD 4.9-STABLE #2
Platform: x86
I recently ran chkrootkit and it complained about processes that were in
ps but not in /proc. Usually these are just transient processed but in
this case I investigated and found something weird.
Here's a sample output:
PID 11252: not in readdir output
PID 11253: not in readdir output
PID 11254: not in readdir output
Strangely, ls shows something different
[56] ls /proc | grep 1125
11252
Even more strangely, which processes are implicated moves around,
but they always claim to be running out of /etc/periodic,
e.g.
root 11252 0.0 0.0 672 176 ?? I 10Dec04 0:00.00 /bin/sh - /usr/sbin/periodic security
root 11253 0.0 0.0 648 168 ?? I 10Dec04 0:00.00 /bin/sh - /usr/sbin/periodic security
root 11254 0.0 0.0 648 168 ?? I 10Dec04 0:00.00 /bin/sh - /etc/periodic/security/100.chksetuid
Note the old dates here: I've got a filesystem on a removable drive
that didn't detach cleanly and now some attempts to grovel through
the filesystem tables (e.g. df) hang badly. I can obviously reboot
to clear this error but I wondered if there was any more investigation
I should do before I destroy the "evidence".
Does this look familiar to anyone?
Thanks,
-Ekr
More information about the freebsd-questions
mailing list