'[crt-users] chkrootkit /usr/bin/find error msg again'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       chkrootkit-users
Subject:    [crt-users] chkrootkit /usr/bin/find error msg again
From:       "Mike Vanecek" <ckroot_list () mm-vanecek ! cc>
Date:       2003-08-18 20:12:03
[Download RAW message or body]

Argg, it is back again and it makes no sense ... it only happens with the
chkrootkit run triggered from crontab and it does not always happen:

From: root    
To: root
Subject: chkrootkit output
 
/usr/bin/find: //proc/11352/fd: No such file or directory

/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/CPAN/.packlist
....

[root@www root]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
30 3 1 * * root run-parts /etc/cron.monthly
 
# check for tripwire reports files and delete old ones
40 4 * * * root /usr/bin/find  /var/lib/tripwire/report -daystart -type f
-mtime -90 -mtime +29 | xargs -r rm
 
# run wormscan daily and mail results to root
20 3 * * * root cd /usr/local/worm; ./run_worm -q 2>&1 | mail -s "wormscan
output" root
 
# check for rootkits daily and mail results to root
0 3 * * * root /usr/local/bin/chkrootkit.wrapper
 
# run the logck program daily and mail results to root
50 23 * * * root /usr/local/bin/logck 2>&1 | mail -s "logck output" root
 
[root@www root]# cat /usr/local/bin/chkrootkit.wrapper
cd /usr/sbin;
(./chkrootkit -q 2>&1 > /tmp/chout.$$
if grep -qi 'No such file or directory' /tmp/chout.$$ ; then
    procs=` grep -i 'No such file or directory' /tmp/chout.$$ | tr -cd "0-9 " `
    ps -lp $procs
    for i in $procs ; do
         echo ______ proc $i
         ls -la /proc/$i
    done
fi
cat /tmp/chout.$$
# rm /tmp/chout.$$
)  | mail -s "chkrootkit output" root;

I commented out the rm /tmp/chout.$$ so I could look at it later. Guess what,
that no such file message is NOT in /tmp/chout.$$.

[admin@www tmp]$ d chout*
-rw-r--r--    1 root     root         1.2K Aug 18 03:03 chout.10953
-rw-r--r--    1 root     root         1.2K Aug 15 03:05 chout.15302
-rw-r--r--    1 root     root         1.2K Aug 16 03:05 chout.20738
-rw-r--r--    1 root     root         1.2K Aug 17 03:03 chout.27054
-rw-r--r--    1 root     root         1.2K Aug 13 03:03 chout.3281
-rw-r--r--    1 root     root         1.2K Aug 14 03:04 chout.9378
[admin@www tmp]$ grep file /tmp/chout*
--- nothing found ---- !!!

So, how the heck is that message getting into what is being mailed??


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic