Mysterious file corruption after cron.daily execution
Casper Pedersen
cpedersen at c-note.dk
Mon Jan 5 23:23:47 UTC 2004
I had the same problem. The issue is prelink (/etc/cron.daily/prelink),
and the only way I found to solve the issue is to move prelink out of
the cron.daily directory.
After that remove /usr/lib/AntiVir/antivir and reinstall the antivirus
toolkit.
Regards/Casper
On Tue, 2004-01-06 at 00:03, John Stroud wrote:
> I need a little help trying to solve a fedora-related mystery... I'm hoping someone has seen this or has some magical insight...
>
> The executable file /usr/bin/AntiVir/antivir (http://www.hbedv.com/) is getting modified sometime during or after the default cron.daily run. After the cron job the file is 1160 bytes longer than it was prior. (See [1])
>
> There are no direct log entries in /var/log/messages indicating why this might be. Additionally, the timestamp on the file is not changed. Here is what I find in pertinent areas. Notice the antivir binary runs correctly before the cron job, and fails after... (It's a one hour cron in the root crontab entry, and the preceding 11 runs are all good.) (See [2.1/2.2]
>
> Some notes on what I've looked at:
> This anomaly occurs on two different Fedora Core 1 + 'yum update' installs using the same tarball to install antivir and the same iso images to install Fedora.
>
> One machine is running the AMD kernel, while the other is running i686. (The AMD uname is not included, as I repartioned it and installed RH9, below)
> uname -a
> Linux everwood.amberorder.com 2.4.22-1.2135.nptl #1 Mon Dec 15 15:55:18 EST 2003 i686 i686 i386 GNU/Linux)
>
> This anomaly does NOT occur on RH9 + 'up2date -u' on 1/3/2004 with AMD kernel.
> uname -a
> Linux serendipity.amberorder.com 2.4.20-27.9 #1 Thu Dec 11 14:01:47 EST 2003 i686 athlon i386 GNU/Linux
>
> In all corruption cases, copying a backup binary over the corrupted one alleviates the symptom until the next cron.daily runs at ~4:00am local time.
>
> Any thoughts appreciated... thanks!
>
> ----------
>
> [1]
> Prior to event:
> [root at everwood bear]# ls -l /usr/lib/AntiVir/antivir
> -rwx------ 1 uucp uucp 730624 Jan 4 10:28 antivir
>
> After the mysterious event:
> [root at everwood bear]# ls -l /usr/lib/AntiVir/antivir
> -rwx------ 1 uucp uucp 731784 Jan 4 10:28 antivir
>
> [2.1]
> LOG:
> tail -n20 /var/log/messages.1
>
> <Note: antivir checks for previous hourly runs are the same as 7993 below, or it updates itself, if update available>
> Jan 4 03:35:03 everwood antivir[7993]: AntiVir is up-to-date
> Jan 4 03:44:17 everwood dhcpd: Wrote 4 leases to leases file.
> Jan 4 03:44:17 everwood dhcpd: DHCPREQUEST for 192.168.100.252 from 00:02:2d:28:9a:83 (osprey) via eth0
> Jan 4 03:44:17 everwood dhcpd: DHCPACK on 192.168.100.252 to 00:02:2d:28:9a:83 (osprey) via eth0
> Jan 4 04:02:12 everwood cups: cupsd shutdown succeeded
> Jan 4 04:02:15 everwood modprobe: modprobe: Can't locate module char-major-188
> Jan 4 04:02:15 everwood last message repeated 15 times
> Jan 4 04:02:16 everwood cups: cupsd startup succeeded
>
> ------------
> [2.2]
> more /var/log/messages
>
> Jan 4 04:02:17 everwood syslogd 1.4.1: restart.
> Jan 4 04:05:55 everwood init: Trying to re-exec init
> Jan 4 04:35:00 everwood antivir[15093]: Error: integrity selftest FAILED
> Jan 4 04:35:00 everwood antivir[15093]: Error: unable to initialize engine (/usr/lib/AntiVir/antivir : /usr/lib/AntiVir/antivir.vdf)
>
> --
> John Stroud Senior System Admin
> Piedmont, CA 510-501-9173 (Cell)
--
GPG Public key is available from: http://www.keyserver.net/
Fingerprint = 56ED 74A4 7B00 20E2 B493 0C1A 6B4E BF8F A086 FE57
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040106/f074417f/attachment-0001.sig>
More information about the fedora-list
mailing list