Monitoring a file?

Cordula's Web cpghost at cordula.ws
Sun Nov 23 09:02:40 PST 2003


> > > >  A file, let's say, /path/to/a/file, is being modified by
> > > >  an unknown process P(u) at random times. Unfortunately,
> > > >  the name of the program ran by P(u) is unknown.
> Not a lock as such, but:
> 
>     # chflags schg /path/to/a/file
> 
> should achieve the effect you desire.  Although this will cause any
> write on the file to just fail, rather than causing P(u) to block
> waiting for a lock.  You could try replacing /path/to/a/file with a
> fifo (see mkfifo(1)), and maybe hang another process on the other end
> of the fifo which can run ps(1) or fstat(1) when a write is detected.

Interesting, but the results were not conclusive.

I've finally found the culprit with a traditional method:
  * md5 (binary from an uncompromised machine) on all files
  * reinstalling from scratch (not buildworld, but really
    installing from FTP)
  * md5 again and diff.

/bin/sh and cvsup (!!) were compromised on that machine.

The malicious code was in /usr/src/bin/sh/exec.c:shellexec()
Additionally, cvsup (and perhaps other programs) must have
been corrupt too, because code in /usr/src/bin/sh was never
updated.

Ugh... system clean again at last. :)

Thank you for all your help!

-- 
Cordula's Web. http://www.cordula.ws/



More information about the freebsd-questions mailing list