List:General Discussion« Previous MessageNext Message »
From:Chris Wells Date:November 4 2005 2:06pm
Subject:Mysql hidden processes
View as plain text  
Hello folks,

When I arrived at work this morning I noticed an oh-so-fun email from 
cron reporting that chkrootkit had found a hidden process.  After a good 
hour of research (and some replaced binaries, of course) I came to the 
conclusion that it was a false positive.

Although, while searching I did notice that I have nine processes hidden 
from both ps and readdir, all mysql.  Example output follows:

/usr/lib/chkrootkit/chkproc -v -v

PID  1230(/proc/1230): not in readdir output
PID  1230: not in ps output
CWD  1230: /var/lib/mysql
EXE  1230: /usr/sbin/mysqld
... (report the same for 1231 - 1238)
You have     9 process hidden for readdir command
You have     9 process hidden for ps command

The command `cat /proc/1230/cmdline` outputs:

/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql 
--pid-file=/var/run/mysqld/ --skip-locking --port=3306 

If I shut down mysqld chkproc reports nothing, and interestingly whether 
or not mysqld running the main chkrootkit doesn't report the nine 
processes hidden.

I did a bit of googling and looking at, but I didn't see 
anything indicating why these processes are hidden from ps and readdir. 
  Does anyone have any insight?

mysqld  Ver 4.1.10 for pc-linux-gnu on i386 (Source distribution) on 
Linux 2.6.9 SMP

Chris Wells
Web Developer
Lumberjack Mordam Music Group, Inc.
5920 American Rd E
Toledo, OH 43613
Fry: "I must be a robot. Why else would human women refuse to date me?"
Mysql hidden processesChris Wells4 Nov
  • Re: Mysql hidden processesJeff Smelser4 Nov
    • Re: Mysql hidden processesChris Wells4 Nov