Date: Thu, 13 Dec 2001 21:41:33 +1100 From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: security@FreeBSD.ORG Subject: Re: (sh), uid 0: core dumped on signal 12 Message-ID: <20011213214133.A4397@raven.robbins.dropbear.id.au> In-Reply-To: <5.0.2.1.2.20011213123508.01785db8@nol.co.za>; from tim@nol.co.za on Thu, Dec 13, 2001 at 12:36:03PM %2B0200 References: <5.0.2.1.2.20011213123508.01785db8@nol.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 13, 2001 at 12:36:03PM +0200, Timothy S. Bowers wrote: > I get the following messages a few times then the PC just reboots: > > /kernel: pid 28998 (sh), uid 0: exited on signal 12 (core dumped) > /kernel: pid 29356 (sh), uid 0: exited on signal 12 > /kernel: pid 29357 (sh), uid 0: exited on signal 12 #define SIGSYS 12 /* non-existent system call invoked */ You might want to check that whatever `sh' (presumably /bin/sh) that causes these errors is for the right OS release and that it hasn't become corrupted somehow. Check that userland and the kernel are in sync. > Is this a sign that someone is running an exploit on me? It could be that the machine is compromised and a rootkit used which has damaged /bin/sh. Just a guess. > How can I find out what the cause of this is? Check the things I mentioned above. truss, ktrace, and checking out the core file with gdb may help. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011213214133.A4397>