Jeff Smelser wrote:
> On Friday 04 November 2005 08:06 am, Chris Wells wrote:
>> /usr/lib/chkrootkit/chkproc -v -v
>> PID 1230(/proc/1230): not in readdir output
>> PID 1230: not in ps output
>> CWD 1230: /var/lib/mysql
>> EXE 1230: /usr/sbin/mysqld
>> ... (report the same for 1231 - 1238)
>> You have 9 process hidden for readdir command
>> You have 9 process hidden for ps command
>> The command `cat /proc/1230/cmdline` outputs:
>> /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
>> --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
> Isnt this just nptl showing 1 process instead of 9 because it shared? Just add
> H to the ps command and you will see them.
That's pretty much what I figured, but I couldn't find anything
specifically noting that. I just wanted to hear it confirmed from
someone else before I completely wrote this off as a (sort of)
false-positive from chkrootkit.
And yes, as expected, `ps Haux` shows all of them. And `ps aux -L`
shows everything with the parent thread listed.