Debian Bug report logs - #199653
SIGCHLD being ignored somewhere

Package: general; Maintainer for general is debian-devel@lists.debian.org;

Reported by: Sasha Volkoff <sasha@sextocontinente.org>

Date: Wed, 2 Jul 2003 09:03:03 UTC

Severity: normal

Merged with 206187

Done: Holger Levsen <holger@layer-acht.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#199653; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Sasha Volkoff <sasha@sextocontinente.org>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sasha Volkoff <sasha@sextocontinente.org>
To: submit@bugs.debian.org
Subject: Can't upgrade woody - apt-get update - expected gzip but it wasn't there
Date: Wed, 02 Jul 2003 11:01:17 +0200
Package: apt
Version: 0.5.4
Debian version: woody

Description:
I can't use apt-get update. I get the following error message:
$ apt-get update
Get:1 http://security.debian.org stable/updates/main Packages [130kB]
Get:2 http://security.debian.org stable/updates/main Release [110B]
Err http://security.debian.org stable/updates/main Packages
  Waited, for gzip but it wasn't there
Fetched 130kB in 5s (23.4kB/s)
Failed to fetch 
http://security.debian.org/dists/stable/updates/main/binary-i386/Packages 
Waited, for gzip but it wasn't there
Reading Package Lists... Done
Building Dependency Tree... Done
W: Couldn't stat source package list http://security.debian.org 
stable/updates/main Packages 
(/var/lib/apt/lists/security.debian.org_dists_stable_updates_main_binary-i386_Packages) 
- stat (2 No such file or directory)
W: You may want to run apt-get update to correct these problems
E: Some index files failed to download, they have been ignored, or old ones 
used instead.

This has happened to me ever since I have Debian installed (february 2003), 
but once, about a month ago, it did work and I was able to upgrade my system.

This is the content of my /etc/apt/sources.list:

deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-7 
(20021218)]/ unstable contrib main non-US/contrib non-US/main
deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-6 
(20021218)]/ unstable contrib main non-US/contrib non-US/main
deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-5 
(20021218)]/ unstable contrib main non-US/contrib non-US/main
deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-4 
(20021218)]/ unstable contrib main non-US/contrib non-US/main
deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-3 
(20021218)]/ unstable contrib main non-US/contrib non-US/main
deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-2 
(20021218)]/ unstable contrib main non-US/contrib non-US/main
deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-1 
(20021218)]/ unstable contrib main non-US/contrib non-US/main


#deb http://security.debian.org/ woody/updates main contrib non-free
deb http://security.debian.org/ stable/updates main

The last two lines I have tested uncommenting one or the other with the 
same result.

Kernel: 2.2.20-idepci
Shared C library:  /lib/libc.so.6 -> libc-2.2.5.so

Thanks for your wonderful work.
Regards,
Sasha



**********************************
    sasha@sextocontinente.org
    humanist@terra.es
    http://sextocontinente.org
    Humanizar la Tierra!
**********************************




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#199653; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 199653@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 199653@bugs.debian.org
Cc: "Anthony R. J. Ball" <ant@suave.net>, Lionell Pack <lionellp@exchange.stargate.net.au>, Sasha Volkoff <sasha@sextocontinente.org>
Subject: Problems with apt, dpkg waiting for gzip
Date: Thu, 17 Jul 2003 16:09:17 -0400
retitle 199653 SIGCHLD being ignored somewhere
reassign 199653 general
thanks

http://lists.debian.org/debian-user/2002/debian-user-200203/msg03490.html

http://lists.debian.org/debian-user/2003/debian-user-200301/msg01498.html

http://lists.debian.org/debian-user-spanish/2002/debian-user-spanish-200211/msg01621.html

http://lists.presso.net/pipermail/allug/2002-April/001056.html

All of these seem to describe the same issue.  Some of the other symptoms
include:

- dpkg trying to wait for gzip, and not finding it, in the same way that apt
  does

- Perl complaining "Can't ignore signal CHLD, forcing to default"

It sounds like the process is inheriting a SIG_IGN action for SIGCHLD from
somewhere, though I have no idea where.  There was a problem with cron doing
this, as discussed in this NetBSD bug report:

http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=11778

but as far as I know, none of these instances involve cron, and this is
fixed in Debian cron anyway since version 3.0pl1-43 (long before woody).
Maybe this is a bug in one of the shells?

I am CCing a the folks from debian-user who experienced this behaviour to
find out more about their environment.  If you could answer these questions:

1. What shell are you using when you experience this problem?

2. Run this command in the environment where you experience the problem:

   perl -w -e ""

   Does it produce any output?  Specifically, this message?

     Can't ignore signal CHLD, forcing to default.

-- 
 - mdz



Changed Bug title. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `apt' to `general'. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to "Anthony R. J. Ball" <ant@suave.net>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #19 received at 199653@bugs.debian.org (full text, mbox):

From: "Anthony R. J. Ball" <ant@suave.net>
To: Matt Zimmerman <mdz@debian.org>
Cc: 199653@bugs.debian.org, Lionell Pack <lionellp@exchange.stargate.net.au>, Sasha Volkoff <sasha@sextocontinente.org>
Subject: Re: Problems with apt, dpkg waiting for gzip
Date: Thu, 17 Jul 2003 17:25:25 -0400
 I was using bash... but trying other shells did not help (I even
changed my shell, not just running another shell under bash).

 Perl did complain as well. I don't have the problem any more,
reinstalling from scratch helped. I assume it was an old library
somewhere, but I have no idea where. It popped up a couple of
times, but I haven't seen it lately.


On Thu, Jul 17, 2003 at 04:09:17PM -0400, Matt Zimmerman wrote:
> retitle 199653 SIGCHLD being ignored somewhere
> reassign 199653 general
> thanks
> 
> http://lists.debian.org/debian-user/2002/debian-user-200203/msg03490.html
> 
> http://lists.debian.org/debian-user/2003/debian-user-200301/msg01498.html
> 
> http://lists.debian.org/debian-user-spanish/2002/debian-user-spanish-200211/msg01621.html
> 
> http://lists.presso.net/pipermail/allug/2002-April/001056.html
> 
> All of these seem to describe the same issue.  Some of the other symptoms
> include:
> 
> - dpkg trying to wait for gzip, and not finding it, in the same way that apt
>   does
> 
> - Perl complaining "Can't ignore signal CHLD, forcing to default"
> 
> It sounds like the process is inheriting a SIG_IGN action for SIGCHLD from
> somewhere, though I have no idea where.  There was a problem with cron doing
> this, as discussed in this NetBSD bug report:
> 
> http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=11778
> 
> but as far as I know, none of these instances involve cron, and this is
> fixed in Debian cron anyway since version 3.0pl1-43 (long before woody).
> Maybe this is a bug in one of the shells?
> 
> I am CCing a the folks from debian-user who experienced this behaviour to
> find out more about their environment.  If you could answer these questions:
> 
> 1. What shell are you using when you experience this problem?
> 
> 2. Run this command in the environment where you experience the problem:
> 
>    perl -w -e ""
> 
>    Does it produce any output?  Specifically, this message?
> 
>      Can't ignore signal CHLD, forcing to default.
> 
> -- 
>  - mdz

-- 
 ___  __  __    __  _  _  ____    _  _  ____  ____ 
/ __)(  )(  )  /__\( \/ )( ___)  ( \( )( ___)(_  _)
\__ \ )(__)(  /(__)\\  /  )__)    )  (  )__)   )(  
(___/(______)(__)(__)\/  (____)()(_)\_)(____) (__) 
Oooh, a doobie! Let's bogart that fat boy! -Dick, 3rd Rock from Sun




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #24 received at 199653@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: "Anthony R. J. Ball" <ant@suave.net>
Cc: 199653@bugs.debian.org, Lionell Pack <lionellp@exchange.stargate.net.au>, Sasha Volkoff <sasha@sextocontinente.org>
Subject: Re: Problems with apt, dpkg waiting for gzip
Date: Thu, 17 Jul 2003 17:28:59 -0400
On Thu, Jul 17, 2003 at 05:25:25PM -0400, Anthony R. J. Ball wrote:

>  I was using bash... but trying other shells did not help (I even
> changed my shell, not just running another shell under bash).
> 
>  Perl did complain as well. I don't have the problem any more,
> reinstalling from scratch helped. I assume it was an old library
> somewhere, but I have no idea where. It popped up a couple of
> times, but I haven't seen it lately.

By what means did you login to the system when you had the problem?
console?  X?  ssh?  telnet?  It could be that one of the programs involved
in setting up your session was at fault.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to "Anthony R. J. Ball" <ant@suave.net>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #29 received at 199653@bugs.debian.org (full text, mbox):

From: "Anthony R. J. Ball" <ant@suave.net>
To: Matt Zimmerman <mdz@debian.org>
Cc: 199653@bugs.debian.org, Lionell Pack <lionellp@exchange.stargate.net.au>, Sasha Volkoff <sasha@sextocontinente.org>
Subject: Re: Problems with apt, dpkg waiting for gzip
Date: Thu, 17 Jul 2003 21:50:17 -0400
> By what means did you login to the system when you had the problem?
> console?  X?  ssh?  telnet?  It could be that one of the programs involved
> in setting up your session was at fault.

  I believe ssh and xterm direct on box...

-- 
 ___  __  __    __  _  _  ____    _  _  ____  ____ 
/ __)(  )(  )  /__\( \/ )( ___)  ( \( )( ___)(_  _)
\__ \ )(__)(  /(__)\\  /  )__)    )  (  )__)   )(  
(___/(______)(__)(__)\/  (____)()(_)\_)(____) (__) 
Real radios glow in the dark!




Merged 199653 206187. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #36 received at 199653@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: debian-devel@lists.debian.org
Cc: 199653@bugs.debian.org
Subject: Re: apt-get problems
Date: Thu, 13 Nov 2003 13:44:25 -0500
On Thu, Nov 13, 2003 at 10:25:13AM +1100, Russell Coker wrote:

> Below are the errors I am getting from apt-get on some machines running
> recent unstable.  Is this a known bug or have I screwed up something?

http://bugs.debian.org/199653

It would be greatly appreciated if you could track this down; there's
information in the BTS that may help.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #41 received at 199653@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Adam Heath <doogie@debian.org>
Cc: <debian-devel@lists.debian.org>, 199653@bugs.debian.org
Subject: Re: apt-get problems
Date: Fri, 14 Nov 2003 11:54:36 +1100
On Thu, 13 Nov 2003 10:59, Adam Heath <doogie@debian.org> wrote:
> Something in your login chain is setting SIGCHLD to ignore.  Check your
> shell, terminal, etc.

Thanks for the information.

I am using pam 0.77 that I compiled myself (Debian is still at 0.76).  0.77 
changes the code for running unix_chkpwd to set SIGCHLD to ignore, it sets it 
back again later but there seems to be a bug in this code.

Adding the option "noreap" to the pam_unix.so line in /etc/pam.d/common-auth 
fixed this (giving pam 0.76 functionality in regard to SIGCHLD).

I don't think that the same problem would occur on a non-SE Linux system (or a 
system running an older version of my SE Linux policy) as it will permit 
direct /etc/shadow access and not need unix_chkpwd to be run from the login 
process.

Also I have not compiled pam 0.77 for woody, so the problems experienced by 
woody users could not be related unless someone else has built it.





Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #46 received at 199653@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: <debian-devel@lists.debian.org>
Cc: 199653@bugs.debian.org, hartmans@debian.org
Subject: Re: apt-get problems
Date: Sat, 15 Nov 2003 11:33:14 +1100
[Message part 1 (text/plain, inline)]
On Fri, 14 Nov 2003 11:54, Russell Coker <russell@coker.com.au> wrote:
> On Thu, 13 Nov 2003 10:59, Adam Heath <doogie@debian.org> wrote:
> > Something in your login chain is setting SIGCHLD to ignore.  Check your
> > shell, terminal, etc.
>
> Thanks for the information.
>
> I am using pam 0.77 that I compiled myself (Debian is still at 0.76).  0.77
> changes the code for running unix_chkpwd to set SIGCHLD to ignore, it sets
> it back again later but there seems to be a bug in this code.

I've attached a patch from Red Hat to solve this pam bug, it will need to be 
included when we get Debian packages of pam 0.77.
[pam-0.77-sigchld.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to MarkBaker@nanometrics.ca:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #51 received at 199653@bugs.debian.org (full text, mbox):

From: MarkBaker@nanometrics.ca
To: 199653@bugs.debian.org
Subject: Shell change fixed this for me
Date: Mon, 15 Mar 2004 09:35:31 -0500



FWIW, I was having the same problem that this bug describes (on a fresh
woody install, i386), so I tried changing my shell as somebody suggested
(from bash to zsh).  That seemed to fix my problem.




Information forwarded to debian-bugs-dist@lists.debian.org, <debian-devel@lists.debian.org>:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to Mike Nugent <mike@illuminatus.org>:
Extra info received and forwarded to list. Copy sent to <debian-devel@lists.debian.org>. Full text and rfc822 format available.

Message #56 received at 199653@bugs.debian.org (full text, mbox):

From: Mike Nugent <mike@illuminatus.org>
To: 199653@bugs.debian.org
Subject: re: debian bugs 199653 and 206187
Date: Wed, 07 Jul 2004 01:07:11 -0700
[Message part 1 (text/plain, inline)]
We originally found that we got this while updating:
Perl complaining "Can't ignore signal CHLD, forcing to default"

After trying a few different shells and subshells as described on the
group, we started writing pieces of code to decipher this.  gzip turned
out to be the key.

When running this code:
#include<signal.h>

int main(int argc, char *argv[]) {
  struct sigaction old_action, new_action;

  new_action.sa_handler = SIG_IGN;
  old_action.sa_handler = SIG_DFL;

  sigaction(SIGINT, &new_action, &old_action);
  return 0;
}

The strace should be as follows (known good system) as both a user and
root:
execve("./mike-sigaction", ["./mike-sigaction"], [/* 16 vars */]) = 0
uname({sys="Linux", node="bard", ...})  = 0
brk(0)                                  = 0x80495dc
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=20735, ...}) = 0
old_mmap(NULL, 20735, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=1244004, ...}) = 0
old_mmap(NULL, 1254244, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x4001e000
old_mmap(0x40146000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x127000) = 0x40146000
old_mmap(0x4014e000, 9060, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014e000
close(3)
munmap(0x40018000, 20735)               = 0
rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
exit_group(0)

Instead, we got this as a local user:
execve("./mike-sigaction", ["./mike-sigaction"], [/* 13 vars */]) = 0
uname({sys="Linux", node="capitalzero.net", ...}) = 0
brk(0)                                  = 0x8049678
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=20017, ...}) = 0
old_mmap(NULL, 20017, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=1243856, ...}) = 0
old_mmap(NULL, 1254020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x4001d000
old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x127000) = 0x40145000
old_mmap(0x4014d000, 8836, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000
close(3)                                = 0
munmap(0x40018000, 20017)               = 0
fork()                                  = 919
rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
semget(IPC_PRIVATE, 0, 0)               = -1 ENOSYS (Function not
implemented)
_exit(0)                                = ?

Notice the fork and the semget near the bottom.  As root it becomes more
clear:
uname({sys="Linux", node="capitalzero.net", ...}) = 0
brk(0)                                  = 0x8049678
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=20017, ...}) = 0
old_mmap(NULL, 20017, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40018000
close(5)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 5
read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"...,
512) = 512
fstat64(5, {st_mode=S_IFREG|0644, st_size=1243856, ...}) = 0
old_mmap(NULL, 1254020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) =
0x4001d000
old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
5, 0x127000) = 0x40145000
old_mmap(0x4014d000, 8836, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000
close(5)                                = 0
munmap(0x40018000, 20017)               = 0
open("/proc/uptime", O_RDONLY)          = 5
read(5, "11928.65 3908.37\n", 128)      = 17       
close(5)                                = 0
getpid()                                = 9278
getpid()                                = 9278
open("/proc/9278/exe", O_RDONLY)        = 5
read(5, "\177ELF\1\1\1\0\0\0\2\0\312@\0\0\2\0\3\0\1\0\0\0T\205\4"...,
52) = 52
lseek(5, 16586, SEEK_SET)               = 16586
fstat(5, {st_mode=S_IFREG|0755, st_size=21249, ...}) = 0
brk(0)                                  = 0x8049678
brk(0x804a8af)                          = 0x804a8af
read(5, "\351\337\21\0\0\215v\0U\211\345\213D$\10\315\200\311\303"...,
4663) = 4663
close(5)                                = 0
signal(SIGCHLD, SIG_IGN)                = 0 (SIG_DFL)
getpid()                                = 9278
pipe([5, 6])                            = 0
fork()                                  = 9281
--- SIGCHLD (Child exited) ---
read(5, "\376", 1)                      = 1
rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
semget(IPC_PRIVATE, 0, 0)               = -1 ENOSYS (Function not
implemented)
_exit(0)                                = ?

Also, /bin/gzip's timestamp changes constantly and stripping /bin/gzip
causes the file to increase in size continually.  It looks like it's
appending it's own code over and over.  Reinstalling gzip causes the
gzip to be updated immediately.

dd bs=1 skip=49320 if=gzip of=tmp.gzip will show the appended code. 
Interestingly a portion of the hexdump matches the hexdump from
mydoom.a.  http://www.css-auth.com/mydoom.a/ has information on that and
the hexdump is available as a link off that page.  The code matches up
at around 0002070.  Look for 0000 0000 3096 7707 612c ee0e 51ba 9909. 
Our hex dump is at http://www.crackfiend.org/hack/trojan/ in the
appended-code.hex file.  It matches around 0000600.  I'm not sure what
significance this has, but it's certainly strange.  Possibly just a
payload.

Also, there's a socket open.  UDP port 3049 in our case.

So this seems to be a rootkit, not a bug.  I would suggest that anyone
with this issue check into it.

Please email if you have any questions.

Mike Nugent <wildcard@illuminatus.org>
Pete Lypkie <plypkie@sfu.ca>

-- 
Mike Nugent
Programmer/Author/Unix Expert
mike@illuminatus.org
"I believe the use of noise to make music will increase
until we reach a music produced through the aid of
electrical instruments which will make available for
musical purposes any and all sounds that can be heard."
 -- composer John Cage, 1937

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <debian-devel@lists.debian.org>:
Bug#199653; Package general. Full text and rfc822 format available.

Acknowledgement sent to browaeys.alban@wanadoo.fr:
Extra info received and forwarded to list. Copy sent to <debian-devel@lists.debian.org>. Full text and rfc822 format available.

Message #61 received at 199653@bugs.debian.org (full text, mbox):

From: browaeys.alban@wanadoo.fr
To: 199653@bugs.debian.org
Subject: re: debian bugs 199653 and 206187
Date: Tue, 25 Jan 2005 12:25:25 +0100
f this is a rootkit , are on of chkrootkit, rkunter, tiger or other
 able to detect it ?

Thanks
Alban




Reply sent to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sasha Volkoff <sasha@sextocontinente.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #66 received at 199653-done@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 199653-done@bugs.debian.org
Subject: closing this 5 year old bug about a rootkit on someones computer :-)
Date: Wed, 3 Sep 2008 17:14:23 +0200
[Message part 1 (text/plain, inline)]
Hi,

yes, right.


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sasha Volkoff <sasha@sextocontinente.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 02 Oct 2008 07:27:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:22:35 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.