On Wed, 13 Feb 2008, ronan wrote:
>> Curiouser and curiouser. "rxvt -e bash -c exit" pops us the rxvt window
>> right away then disappears (after a few seconds) as expected, "time rxvt -e
>> bash -c exit" hangs. "xterm -e bash -c exit" pauses before appearing, "time
>> xterm -e bash -c exit" runs in, well it's weird:
>>
>> eben@pc:~$ time xterm -e bash -c exit
>>
>> real 0m5.029s
>> user 0m0.011s
>> sys 0m0.005s
>>
>> X is honked up (in a way that hangs rxvt but not xterm)?
>>
> You could try "strace": strace xterm -r bash -c exit
("xterm -e")
It pauses on this line:
read(7, "\2\0\0\0\0\0\0\0\210\23\0\0\1\0\0\0\0\0\0\0\0\0\0\0/de"..., 1048) = 1048
after the "read(7,". fd 7 is ... well, I don't see any open*() [1] giving a
file descriptor that big. The largest I see before the pause are these:
open("/usr/lib/X11/locale/common/ximcp.so.2", O_RDONLY) = 5
open("/usr/share/X11/locale/compose.dir", O_RDONLY) = 5
open("/usr/share/X11/locale/iso8859-1/Compose", O_RDONLY) = 5
open("/lib/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 5
Are there other operations which can give a file descriptor?
> The rootkit is an interesting possibility.
Pretty poor rootkit if it doesn't use the CPU and doesn't open connections:
root@pc:~# netstat -A inet -ap | grep -v WAIT
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 *:xtelw *:* LISTEN 5129/festival
tcp 0 0 *:netbios-ssn *:* LISTEN 5647/smbd
tcp 0 0 *:www *:* LISTEN 28973/thttpd
tcp 0 0 *:domain *:* LISTEN 4882/dnsmasq
tcp 0 0 *:8118 *:* LISTEN 20908/privoxy
tcp 0 0 *:ssh *:* LISTEN 5786/sshd
tcp 0 0 localhost.localdoma:ipp *:* LISTEN 28866/cupsd
tcp 0 0 *:nntp *:* LISTEN 6012/xinetd
tcp 0 0 localhost.localdom:smtp *:* LISTEN 5516/master
tcp 0 0 localhost.localdom:9050 *:* LISTEN 5986/tor
tcp 0 0 *:microsoft-ds *:* LISTEN 5647/smbd
tcp 0 0 localhost.localdom:3551 *:* LISTEN 4794/apcupsd
udp 0 0 *:syslog *:* 24114/syslogd
udp 0 0 pc:netbios-ns *:* 5645/nmbd
udp 0 0 172.16.164.1:netbios-ns *:* 5645/nmbd
udp 0 0 172.16.253.1:netbios-ns *:* 5645/nmbd
udp 0 0 *:netbios-ns *:* 5645/nmbd
udp 0 0 pc:netbios-dgm *:* 5645/nmbd
udp 0 0 172.16.164.:netbios-dgm *:* 5645/nmbd
udp 0 0 172.16.253.:netbios-dgm *:* 5645/nmbd
udp 0 0 *:netbios-dgm *:* 5645/nmbd
udp 0 0 *:domain *:* 4882/dnsmasq
raw 0 0 *:icmp *:* 7 6598/vmnet-natd
That last one looks kinda weird, but I just searched for \*vmnet-natd\* and
it's in /usr/local/bin, along with other vmnet* tools. Other than that,
they're all parked on ports I fully expect to be in use.
[1] xterm -e bash -c exit 2>&1 | grep 'open.* =' | grep -v ENOENT
-- -eben QebWenE01R@vTerYizUonI.nOetP royalty.mine.nu:81Logic is a systematic method of coming to the wrong conclusion with confidence. ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:00:48 EDT