When I arrived at work this morning I noticed an oh-so-fun email from
cron reporting that chkrootkit had found a hidden process. After a good
hour of research (and some replaced binaries, of course) I came to the
conclusion that it was a false positive.
Although, while searching I did notice that I have nine processes hidden
from both ps and readdir, all mysql. Example output follows:
/usr/lib/chkrootkit/chkproc -v -v
PID 1230(/proc/1230): not in readdir output
PID 1230: not in ps output
CWD 1230: /var/lib/mysql
EXE 1230: /usr/sbin/mysqld
... (report the same for 1231 - 1238)
You have 9 process hidden for readdir command
You have 9 process hidden for ps command
The command `cat /proc/1230/cmdline` outputs:
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
If I shut down mysqld chkproc reports nothing, and interestingly whether
or not mysqld running the main chkrootkit doesn't report the nine
I did a bit of googling and looking at mysql.com, but I didn't see
anything indicating why these processes are hidden from ps and readdir.
Does anyone have any insight?
mysqld Ver 4.1.10 for pc-linux-gnu on i386 (Source distribution) on
Linux 2.6.9 SMP
Lumberjack Mordam Music Group, Inc.
5920 American Rd E
Toledo, OH 43613
Fry: "I must be a robot. Why else would human women refuse to date me?"