keeps running old process

jonn

jonn

Verified User
Joined
Mar 29, 2009
Messages
112
Location
Queensland, Australia.
having a complex time with processes being run even though they get restarted.

everymorning the same emails arrive.

Time: Sat Jan 29 05:02:19 2011 +0100
PID: 13564
Account: mysql
Uptime: 83221 seconds


Executable:

/usr/sbin/mysqld\00#prelink#.FTbVPY (deleted)

---------------------------- next email.

Time: Sat Jan 29 05:02:19 2011 +0100
PID: 13469
Account: haldaemon
Uptime: 83247 seconds


Executable:

/usr/libexec/hald-addon-acpi\00#prelink#.aAia1o (deleted)

------------------------------ next email.

Time: Sat Jan 29 05:02:19 2011 +0100
PID: 13611
Account: ftp
Uptime: 83177 seconds


Executable:

/usr/sbin/proftpd\00#prelink#.QJhFCG (deleted)

------------------------------ next email.

Time: Sat Jan 29 05:02:19 2011 +0100
PID: 13461
Account: haldaemon
Uptime: 83247 seconds


Executable:

/usr/sbin/hald\00#prelink#.0Y2fyv (deleted)

------------------------------ next email.

Time: Sat Jan 29 05:02:19 2011 +0100
PID: 13471
Account: haldaemon
Uptime: 83246 seconds


Executable:

/usr/libexec/hald-addon-keyboard.#prelink#.Hi4zaj (deleted)

------------------------------ next email.

THEN an email with about 100+ lines
email subject: System Integrity checking detected a modified system file


and thats the end of those emails.

part of it...

Time: Sat Jan 29 05:00:19 2011 +0100

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/[: FAILED
/usr/bin/a2p: FAILED
/usr/bin/aafire: FAILED
/usr/bin/aainfo: FAILED
/usr/bin/aasavefont: FAILED
/usr/bin/aatest: FAILED
/usr/bin/addftinfo: FAILED
/usr/bin/addr2line: FAILED
/usr/bin/amrnb-decoder: FAILED
/usr/bin/amrnb-decoder-etsi: FAILED
/usr/bin/amrnb-decoder-if2: FAILED
/usr/bin/amrnb-encoder: FAILED
/

so on and so on.....
Click to expand...
I have restarted all the services mentioned but the next morning again the same emails.
Am I missing a service I havent restarted.
Or is it something to do with prelink.

THese emails only started since update
./build update
./build all

and an update to configs firewall to 5.15.

cheers.
 
actually I did some more research because I just got the second round of the same emails as expected in 1 hour like clock work excluding the (System Integrity checking detected a modified system file) email that one only arrives once since update, has it got something to do with configserver script false positive they think so, but that shouldnt be right. Its a warning, they say ignore it.

Anyone else getting the same emails once or twice a day since update.:confused:

As far as I have read in many forums here and elsewhere plus articles if prelink fails too many times good server system files can get corrupted.:eek:
 
okay, was wondering whether the old linux kernel files might not be getting removed after update and conflicting,

installed kernel:
# rpm -q kernel

output:
kernel-2.6.18-164.9.1.el5 [removed]
kernel-2.6.18-164.11.1.el5 [current]

then I did.
rpm -e kernel-2.6.18-164.9.1.el5

did that, and it was removed successfully. hmm what else might be old.
 
Last edited:
%$#@ truck

nope still got the same damn emails again this morning. then bumped my cup of coffee all over the table.. :( typical.
It was really nice aswell, just the right flavor that makes you go
"mmmm needed that".

#$@% $%^# &^%$ *&^% fire truck

x86_64 is starting to be a minor irritant that is growing into a rage quit.
 
Start by forgetting about everything you already did... if you need to you can always look at this thread to refresh your memory.

Next post as an attachment the forum a complete email including all the headers, so we'll get an idea of what is sending the email.

And switch to cooler beverage so you won't burn yourself :).

Jeff
 
rebooted, turned off cron for rkhunter and chkrootkit in the morning of course
after spitting the dummy "spit spit" in a quite but eligant way as to seem like I got it together with a slight twitch and shoulder jump, as the nose hairs sway in and out, in and out of my nostrals widening the passage, I wipe the condensation on the lcd screen in a craze trying to see where Im going, gotta keep the screen clean I could crash into a window or bother letter "B" and get stung.

Restarted services 9:30 am prior day and rage quit. blahh [spit spit] and got on call of duty and took out as many noobs as I could, wow that cleared the mind.
Hmm post office always wanted to deliver mail, no no get back to what you are doing jonn, focus focus..

/etc/init.d/haldaemon restart
/etc/init.d/proftpd restart
/etc/init.d/mysqld restart
/etc/init.d/avahi-daemon stop
/etc/init.d/mysqld restart
/etc/init.d/httpd restart
Click to expand...

this morning no emails, what the basooka. okay deep breath, why this morning.
hmm not going to talk to computer like that, i love my wittle computy, everthing is updated. I startingto wonder if cron is broken somewhere. causeif tomorrow it does it again Im going to looooooose it!.

..
okay I gotta finish my sons game site i'll do that.
 
that email if im not wrong come from csf firewall, im having those emails too.

seems that you need to add the mysql (and other trusted) executable file in /etc/csf/csf.pignore

and then restart csf.

Hope it help.

Regards
 
@SeLLeRoNe you are correct it is the firewall .

Was running 5.13 with no problems, firewall was then upgraded to 5.15 then the emails started, but only 5 emails once in the morning.
Then another upgrade was done the 2nd day upgraded to 5.16, now emails are coming every hour, that was a couple of days ago.

I was only away in Brisbane for 2 days and 340+ emails.
:eek: fire engine.

nope its not the csf.pignore list because all the services that are shown as problem in email exist in csf.pignore list, besides that was the first thing i thought of when the emails first started.

however thx for the suggestion SeLLeRoNe.

Im thinkng of re-installing the firewall to default settings and go from there, see if there is a upgrade conflict.

anywho... :cool:
 
No uninstall and re-install gave csf a nitro boost and the emails came in every 3 minutes..hahaha.

:eek: Holly molly!

I immediately went straight in and blocked in csf.pignore.txt under csf lfd configs for exe:

.....below part of csf.pignore.txt
exe:/usr/libexec/dovecot/anvil

cmd:dbus-daemon
cmd:named
cmd:hald
cmd:hald-addon-acpi
cmd:hald-addon-keyboard
cmd: proftpd
Click to expand...
Stopped it lickity split.

Senerio problem:
Will I now not receive important alerts that actually mean something because of blocking the command. hmm,
Ill have to watch that over time.

Still doesnt answer why files that are deleted are being run even after restart to offending services.
There can be only one explanation, false positive. After reading csf forums this problem has been mentioned few hundred times.

Food of Thought: maybe csf is just too sensitive for its own good.

again, no re-install made it very mad, mad I tell you, muhahahahaha!

so at your own risk
Try blocking the command line name.
cmd:name

cheers for now.

tmp solved.:D
 
Last edited:
nope I retract my last statement. There back again!! every hour.

Oh scoot is this the warm up to another round of emails every 3 minutes.
Bring it LFD bring it, muhahahahaha!

Its just like a thriller. :eek:
 
mmmh... i use to put exe:COMMAND_PATH and not cmd:COMMAND_PATH

why you use cmd:?

and, cmd: proftpd got a space that may cause some troubles.. and... use full path is for sure more correct i think ^^
 
@SeLLeRoNe

I placed a space in because it looked like this when I posted.
cmd:proftpd - ie little smiley so a space was put for the board only.

Well cmd is the command line only as far as I have read.

cmd:command

Also to note, after yesterdays attempt, the emails still were coming in, I decided to restart the proftp service one more time but this time I did it 5 times one after each other.

service proftpd restart
service proftpd restart
service proftpd restart
service proftpd restart
service proftpd restart

Waited 3 hours and it seemed to stop the email for proftp alerts of old process. Now Im not 100% certain this has done it, only time will tell.

So I repeat and rinsed the other services that I got emails from.
did them 5 times each, however this time I waited for at least 3 hour between each one to make sure that the service stopped playing an old tune.

So far so good, I wont really know until 2pm today, so if the emails stop I will do some further senario tests without the cmd:command in csf.pignore file.

peace.
 
2pm hits and emails are back again just like clock work, every hour on the dot. its like The Terminator, " I'll Be Back".
something is a miss.
------

just set PT_DELETED = 0 in configs.
configserver.com reckon it should stop the emails.

also its related to centos thats why nobody else here
is getting the problem just centos users
by the looks of it.
 
Last edited:
jonn said:
I placed a space in because it looked like this when I posted.
cmd:proftpd - ie little smiley so a space was put for the board only.
Click to expand...
Unfortunately this is not a fix for the problem. I have no idea why you have the problem. This is an answer, though, to the problem of the smiley.

Simply check Disable smilies in text before you save, so the smiley's will go away.

Jeff
 
never said it was a fix, however it did stop the 120+ emails I keep getting every day on the hour for this, I had enough of it, was pulling my hair out.
 
I'm sorry I wasn't more clear; I mean that my reply isn't a fix for the problem, but only an explanation of how to keep the forum software from inserting unwanted smileys.

Jeff
 
You must log in or register to reply here.
Back
Top