List:General Discussion« Previous MessageNext Message »
From:Chris Wells Date:November 4 2005 3:44pm
Subject:Re: Mysql hidden processes
View as plain text  
Jeff Smelser wrote:
> On Friday 04 November 2005 08:06 am, Chris Wells wrote:
>> /usr/lib/chkrootkit/chkproc -v -v
>> PID  1230(/proc/1230): not in readdir output
>> PID  1230: not in ps output
>> CWD  1230: /var/lib/mysql
>> EXE  1230: /usr/sbin/mysqld
>> ... (report the same for 1231 - 1238)
>> You have     9 process hidden for readdir command
>> You have     9 process hidden for ps command
>> The command `cat /proc/1230/cmdline` outputs:
>> /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
>> --pid-file=/var/run/mysqld/ --skip-locking --port=3306
>> --socket=/var/run/mysqld/mysqld.sock
> Isnt this just nptl showing 1 process instead of 9 because it shared? Just add 
> H to the ps command and you will see them.
> Jeff

That's pretty much what I figured, but I couldn't find anything 
specifically noting that.  I just wanted to hear it confirmed from 
someone else before I completely wrote this off as a (sort of) 
false-positive from chkrootkit.

And yes, as expected, `ps Haux` shows all of them.  And `ps aux -L` 
shows everything with the parent thread listed.


Mysql hidden processesChris Wells4 Nov
  • Re: Mysql hidden processesJeff Smelser4 Nov
    • Re: Mysql hidden processesChris Wells4 Nov