Date: Sat, 18 Dec 2004 09:06:29 -0800 From: Eric Rescorla <ekr@rtfm.com> To: freebsd-questions@freebsd.org Subject: Missing /etc/periodic.daily processes in /proc Message-ID: <20041218172927.42DC971D2@sierra.rtfm.com>
next in thread | raw e-mail | index | archive | help
FreeBSD Version: FreeBSD 4.9-STABLE #2 Platform: x86 I recently ran chkrootkit and it complained about processes that were in ps but not in /proc. Usually these are just transient processed but in this case I investigated and found something weird. Here's a sample output: PID 11252: not in readdir output PID 11253: not in readdir output PID 11254: not in readdir output Strangely, ls shows something different [56] ls /proc | grep 1125 11252 Even more strangely, which processes are implicated moves around, but they always claim to be running out of /etc/periodic, e.g. root 11252 0.0 0.0 672 176 ?? I 10Dec04 0:00.00 /bin/sh - /usr/sbin/periodic security root 11253 0.0 0.0 648 168 ?? I 10Dec04 0:00.00 /bin/sh - /usr/sbin/periodic security root 11254 0.0 0.0 648 168 ?? I 10Dec04 0:00.00 /bin/sh - /etc/periodic/security/100.chksetuid Note the old dates here: I've got a filesystem on a removable drive that didn't detach cleanly and now some attempts to grovel through the filesystem tables (e.g. df) hang badly. I can obviously reboot to clear this error but I wondered if there was any more investigation I should do before I destroy the "evidence". Does this look familiar to anyone? Thanks, -Ekr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041218172927.42DC971D2>