Bug 80611 - possible bug in procps-2.0.7-25.i386.rpm?
Summary: possible bug in procps-2.0.7-25.i386.rpm?
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: procps
Version: 8.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Alexander Larsson
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2002-12-28 18:22 UTC by Need Real Name
Modified: 2007-04-18 16:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-01-06 13:02:15 UTC

Attachments (Terms of Use)

Description Need Real Name 2002-12-28 18:22:32 UTC
Description of problem:

ps is accused of possibly being infected with the lkm worm by the latest

Version-Release number of selected component (if applicable):

How reproducible:
Run the latest chkrootkit-0.38

Steps to Reproduce:
1. run chkrootkit-0.38.
2. look at things with kpm.
3. note kpm see's processes that ps -ea doesn't.
Actual results:

With gkrellm and mozilla-1.01 running, chkrootkits './chkproc -v -v'
will report 6 processes that are hidden by ps.  One will be a 2nd copy of
gkrellm, and 5 will be mozilla children.

Expected results:

No hidden processes.

Additional info:

gnorpm's verify function says procps is exactly the same as the rpm installed it.
Reverting to the 7.3 supplied version of procps-2.0.7-12.i386.rpm apparently
fixes everything.

Comment 1 Miloslav Trmac 2002-12-28 21:08:14 UTC
If you read the release notes, you would notice that
ps hides threads of a single process by default, unless
you use the -m parameter (IIRC).

Comment 2 Alexander Larsson 2003-01-06 13:02:15 UTC
Yes, the pids hidden are the threads. Use -m to see them.

Note You need to log in before you can comment on or make changes to this bug.