>> You could try "strace": strace xterm -r bash -c exit
>
> ("xterm -e")
>
> It pauses on this line:
>
> read(7, "\2\0\0\0\0\0\0\0\210\23\0\0\1\0\0\0\0\0\0\0\0\0\0\0/de"...,
> 1048) = 1048
>
> after the "read(7,". fd 7 is ... well, I don't see any open*() [1]
> giving a file descriptor that big. The largest I see before the pause
> are these:
I'm going out on a limb here, but could a tool like "lsof" show you
which file (if any) is attached to fd[7]? Or maybe by looking in the
/proc filesystem under that PID?
>
>
> open("/usr/lib/X11/locale/common/ximcp.so.2", O_RDONLY) = 5
> open("/usr/share/X11/locale/compose.dir", O_RDONLY) = 5
> open("/usr/share/X11/locale/iso8859-1/Compose", O_RDONLY) = 5
> open("/lib/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 5
>
> Are there other operations which can give a file descriptor?
Other system calls that can allocate a file descriptor: socket, mmap,
pipe-something-or-other?
>
>> The rootkit is an interesting possibility.
>
> Pretty poor rootkit if it doesn't use the CPU and doesn't open
> connections:
>
> root@pc:~# netstat -A inet -ap | grep -v WAIT
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 *:xtelw *:* LISTEN 5129/festival
...
Don't forget that much of the point to a rootkit is that the tools that
you would use to diagnose your system have been altered to help hide to
rootkit. There might be processes and connections that your tools aren't
showing you.
--ronan
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:01:07 EDT