Home / server / Questions / 454285
Accepted
user1821484
Asked: 2012-12-03 03:27:03 +0800 CST

chkrootkit results - php session files not found

  • 772

From time to time when I run chkrootkit I get the following results:

Searching for suspect PHP files...                          
/usr/bin/find: `/tmp/sess_nq0tiekcsl41jb93795gnrug54': No such file or directory
/usr/bin/find: `/tmp/sess_s904a26ph28gpspdh1bpke6fg6': No such file or directory
/usr/bin/find: `/tmp/sess_5efg9ic1bebo93q1c2c9d86qu3': No such file or directory

It happends not often - maybe 1 of 50 scans show this.

What does it mean?

security

1 Answers

  1. Best Answer

    The part of chkrootkit you are looking at is this:

    ###
### Suspect PHP files
###
if [ "${QUIET}" != "t" ]; then
   printn "Searching for suspect PHP files... "; fi
   files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`"
   fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep php 2> /dev/null`"
if [ "${files}" = "" -a "${fileshead}" = "" ]; then
   if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
  echo "${files}"
  echo "${fileshead}"
fi

    And it's the second find command that is causing the error. The problem is that there is a race condition between the find command finding a file and when it gets to the -exec part and runs head on the file. In between these two moments, another process is deleting some of the old, expired PHP session files.

    In Debian-based distros, this is usually a cron job in /etc/cron.d/php5 that runs at 9 and 39 minutes past each hour. I'm not sure what RedHat-based distros do and, of course, this is customisable. PHP has a built-in mechanism to trigger off a session-cleaning thread with a 1 in 1000 probability (this probability is also configurable) on every request.

    Your 1 in 50 rate is probably a result of the slight variations in whichever mechanism is deleting your old PHP session files.

    • 2