tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: Tomcat and chkrootkit
Date Tue, 30 Nov 2004 14:33:21 GMT

Hi,
For the Tomcat ones, these are threads that are mistakenly reported as
processes by the ps (and other, such as top) commands.  It's really one
JVM process with many threads.  This is expected and normal.

For MySQL, the situation might be the same but I'm not sure, so
hopefully others can confirm or deny.

Yoav Shapira http://www.yoavshapira.com
 

>-----Original Message-----
>From: Nick Goupinets [mailto:ngoupinets@openskysolutions.ca]
>Sent: Tuesday, November 30, 2004 9:29 AM
>To: tomcat-user@jakarta.apache.org
>Subject: Tomcat and chkrootkit
>
>Hi everybody,
>
>I tried checking my system (Slackware 9.1) with chkrootkit. The check
>generated the following:
>
>Checking `lkm'... You have   106 process hidden for ps command
>Warning: Possible LKM Trojan installed
>
>When running the detailed search for LKM modules, chkrootkit reported a
>whole bunch of Tomcat and mysql processes hidden from the ps command:
>
>ROOTDIR is `/'
>###
>### Output of: ./chkproc -v -v -p 1
>###
>PID 11737: not in ps output
>CWD 11737: /usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/data
>EXE 11737:
/usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/bin/mysqld
>PID 11738: not in ps output
>CWD 11738: /usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/data
>EXE 11738:
/usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/bin/mysqld
>PID 11739: not in ps output
>
>.....
>
>CWD 11796: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11796: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11797: not in ps output
>CWD 11797: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11797: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11798: not in ps output
>CWD 11798: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11798: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11799: not in ps output
>CWD 11799: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11799: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11800: not in ps output
>CWD 11800: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11800: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11801: not in ps output
>CWD 11801: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11801: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11802: not in ps output
>
>.....
>
>CWD 11987: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11987: /usr/java/j2sdk1.4.2_04/bin/java
>PID 11998: not in ps output
>CWD 11998: /usr/local/jakarta-tomcat-5.0.19/bin
>EXE 11998: /usr/java/j2sdk1.4.2_04/bin/java
>PID 12016: not in ps output
>CWD 12016: /usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/data
>EXE 12016:
/usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/bin/mysqld
>PID 12022: not in ps output
>CWD 12022: /usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/data
>EXE 12022:
/usr/local/mysql-standard-4.1.4-gamma-pc-linux-i686/bin/mysqld
>You have    77 process hidden for ps command
>
>I am wondering if this is something normal and expected, or I have to
>investigate this issue deeper.
>
>Thank you very much.
>
>Sincerely,
>Nick.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message