Monitoring a file?
Cordula's Web
cpghost at cordula.ws
Sun Nov 23 09:02:40 PST 2003
> > > > A file, let's say, /path/to/a/file, is being modified by
> > > > an unknown process P(u) at random times. Unfortunately,
> > > > the name of the program ran by P(u) is unknown.
> Not a lock as such, but:
>
> # chflags schg /path/to/a/file
>
> should achieve the effect you desire. Although this will cause any
> write on the file to just fail, rather than causing P(u) to block
> waiting for a lock. You could try replacing /path/to/a/file with a
> fifo (see mkfifo(1)), and maybe hang another process on the other end
> of the fifo which can run ps(1) or fstat(1) when a write is detected.
Interesting, but the results were not conclusive.
I've finally found the culprit with a traditional method:
* md5 (binary from an uncompromised machine) on all files
* reinstalling from scratch (not buildworld, but really
installing from FTP)
* md5 again and diff.
/bin/sh and cvsup (!!) were compromised on that machine.
The malicious code was in /usr/src/bin/sh/exec.c:shellexec()
Additionally, cvsup (and perhaps other programs) must have
been corrupt too, because code in /usr/src/bin/sh was never
updated.
Ugh... system clean again at last. :)
Thank you for all your help!
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions
mailing list