Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CHKrootkit

5 views
Skip to first unread message

Uncle Jean

unread,
Nov 7, 2009, 2:20:24 PM11/7/09
to
Hi all,

I'm on Slackware 13. Here's what the CHKrootkit scan indicates:

"WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112 but
we already saw 110 subdirectories): this may be a bug in your file system
driver. Automatically turning on find's -noleaf option. Earlier results
may have failed to include directories that should have been searched."

Any suggestions ?

--
Uncle Jean
http://slacklinux.darkbb.com/index.htm

Grant

unread,
Nov 7, 2009, 4:55:28 PM11/7/09
to
On Sat, 07 Nov 2009 19:20:24 GMT, Uncle Jean <a...@invalid.com> wrote:

>Hi all,
>
>I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
>
>"WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112 but
>we already saw 110 subdirectories): this may be a bug in your file system
>driver. Automatically turning on find's -noleaf option. Earlier results
>may have failed to include directories that should have been searched."
>
>Any suggestions ?

/proc is a pseudo filesystem built on demand, exclude it from
this sort of check. I don't think you can create new entries
in /proc.

Grant.
--
http://bugsplatter.id.au

Uncle Jean

unread,
Nov 7, 2009, 5:04:11 PM11/7/09
to
"Grant" told the uncle and all the others:

> /proc is a pseudo filesystem built on demand, exclude it from this sort
> of check. I don't think you can create new entries in /proc.
>
> Grant.

I see and I thank you, Grant.

Res

unread,
Nov 7, 2009, 5:33:08 PM11/7/09
to
On Sat, 7 Nov 2009, Uncle Jean wrote:

> Hi all,
>
> I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
> "WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112 but

What version, 0.49?
What fs?
Are you running this as -q ?

I get emails on output from nightly runs on all of our members/host
servers and I don't see this, can't recall ever seeing it, however we
value our data so use EXT3, certainly not using 13.0's default of EXT4.


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Res

unread,
Nov 7, 2009, 5:38:37 PM11/7/09
to

He shouldn't need to, we don't
$check = `/opt/crk/chkrootkit -q`;

I'm curious if this is yet another ext4 anomaly

Uncle Jean

unread,
Nov 7, 2009, 5:47:21 PM11/7/09
to
"Res" told the uncle and all the others:

> What version, 0.49?

Yes.

> What fs?

Ext 4.

> Are you running this as -q ?

I just did a scan with -q and I didn't get the warning. But it doesn't
scan as many files this way.



> I get emails on output from nightly runs on all of our members/host
> servers and I don't see this, can't recall ever seeing it, however we
> value our data so use EXT3, certainly not using 13.0's default of EXT4.

OK. Thanks.

Grant

unread,
Nov 7, 2009, 7:14:17 PM11/7/09
to

Dunno, I've lost interest in testing ext4. I did notice other distros
default to it as well. More filesystem beta testers?

Grant.
--
http://bugsplatter.id.au

steveski

unread,
Nov 7, 2009, 7:57:50 PM11/7/09
to
Grant wrote:

Are there any concrete advantages to ext4 at the moment? I've installed
Slack 13 with ext4 - should I "downgrade" to ext3 to obviate any problems?
EMWTK :-)

--
Steveski

Grant

unread,
Nov 7, 2009, 8:41:08 PM11/7/09
to

I'm happy with reiserfs3 -- saw no advantage to ext4 when I tried it
back when it was beta in the kernel -- but I've done no benchmarks.

I wouldn't downgrade from ext4 to ext3 -- the problem I saw recently
on lkml was in development kernel -- but it did give data loss grief.

Ext4 is at that stage of mostly works -- apart from some 'dark
corners' the odd user might discover, only wide general usage
will sort remaining buglets.

Grant.
--
http://bugsplatter.id.au

Res

unread,
Nov 7, 2009, 10:53:54 PM11/7/09
to
On Sat, 7 Nov 2009, Uncle Jean wrote:

>> What fs?
>
> Ext 4.
>

OK, you might need to wait to see if anyone else runnig EXT4 has the same
issue, my bet is thats's where the problem lies.

>> Are you running this as -q ?
>
> I just did a scan with -q and I didn't get the warning. But it doesn't
> scan as many files this way.

It would be, it's just "quiet mode", reporting on actual/probable risks

Res

unread,
Nov 7, 2009, 10:59:39 PM11/7/09
to

He's since confirmed it's EXT4, yes, BTW, I agree, anyone using EXT4 is a
BETA tester :) ... ' use ext4 at your own risk' ...

Uncle Jean

unread,
Nov 8, 2009, 4:20:25 AM11/8/09
to
"Res" told the uncle and all the others:

> It would be, it's just "quiet mode", reporting on actual/probable risks

OK but the scan takes much less time when I add the -q option. What's
the reason of this ?

Res

unread,
Nov 8, 2009, 7:31:28 AM11/8/09
to
On Sun, 8 Nov 2009, Uncle Jean wrote:

> "Res" told the uncle and all the others:
>
>> It would be, it's just "quiet mode", reporting on actual/probable risks
>
> OK but the scan takes much less time when I add the -q option. What's
> the reason of this ?

no idea, maybe less printing out to the screen, maybe because of RAM, as
you've already run the test.

Uncle Jean

unread,
Nov 8, 2009, 8:28:35 AM11/8/09
to
"Res" told the uncle and all the others:

> no idea, maybe less printing out to the screen, maybe because of RAM, as


> you've already run the test.

45 seconds VS. 15 seconds ! There's a reason I dont know.

Wild Wizard

unread,
Nov 9, 2009, 5:30:26 AM11/9/09
to
Res wrote:

> On Sat, 7 Nov 2009, Uncle Jean wrote:
>
>>> What fs?
>>
>> Ext 4.
>>
>
> OK, you might need to wait to see if anyone else runnig EXT4 has the same
> issue, my bet is thats's where the problem lies.
>

root@indigo:~# mount
/dev/root on / type ext4 (rw,barrier=1,data=ordered)

And using chkrootkit-0.49 I don't see the OP's warning message.

I also fail to see how the file system used for / could have any bearing on
another file system mounted using a different file system.

0 new messages