chkrootkit /usr/bin/find error msg

"Mike Vanecek" <shrike_list@xxxxxxxxxxxxx> · Mon, 18 Aug 2003 15:25:20 -0500

The "No such file or directory" message in a crontab generated action makes no
sense ... it only happens with the chkrootkit run triggered from crontab and
it does not always happen. If I run the script manually, I never get the "No
such" message. Note from below that that message is not generated by chkrootkit:

From: root    
To: root
Subject: chkrootkit output

/usr/bin/find: //proc/11352/fd: No such file or directory

/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/CPAN/.packlist
....

[root@www root]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
30 3 1 * * root run-parts /etc/cron.monthly

# check for tripwire reports files and delete old ones
40 4 * * * root /usr/bin/find  /var/lib/tripwire/report -daystart -type f
-mtime -90 -mtime +29 | xargs -r rm

# run wormscan daily and mail results to root
20 3 * * * root cd /usr/local/worm; ./run_worm -q 2>&1 | mail -s "wormscan
output" root

# check for rootkits daily and mail results to root
0 3 * * * root /usr/local/bin/chkrootkit.wrapper

# run the logck program daily and mail results to root
50 23 * * * root /usr/local/bin/logck 2>&1 | mail -s "logck output" root

[root@www root]# cat /usr/local/bin/chkrootkit.wrapper
cd /usr/sbin;
(./chkrootkit -q 2>&1 > /tmp/chout.$$
if grep -qi 'No such file or directory' /tmp/chout.$$ ; then
    procs=` grep -i 'No such file or directory' /tmp/chout.$$ | tr -cd "0-9 " `
    ps -lp $procs
    for i in $procs ; do
         echo ______ proc $i
         ls -la /proc/$i
    done
fi
cat /tmp/chout.$$
# rm /tmp/chout.$$
)  | mail -s "chkrootkit output" root;

I commented out the rm /tmp/chout.$$ so I could look at it later. Guess what,
that "No such file" message is NOT in /tmp/chout.$$.

[admin@www tmp]$ d chout*
-rw-r--r--    1 root     root         1.2K Aug 18 03:03 chout.10953
-rw-r--r--    1 root     root         1.2K Aug 15 03:05 chout.15302
-rw-r--r--    1 root     root         1.2K Aug 16 03:05 chout.20738
-rw-r--r--    1 root     root         1.2K Aug 17 03:03 chout.27054
-rw-r--r--    1 root     root         1.2K Aug 13 03:03 chout.3281
-rw-r--r--    1 root     root         1.2K Aug 14 03:04 chout.9378

[admin@www tmp]$ grep file /tmp/chout*
--- nothing found ---- !!!

So, how the heck is that message getting into what is being mailed??

-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list