Mysterious file corruption after cron.daily execution

Casper Pedersen cpedersen at c-note.dk
Mon Jan 5 23:23:47 UTC 2004


I had the same problem. The issue is prelink (/etc/cron.daily/prelink),
and the only way I found to solve the issue is to move prelink out of
the cron.daily directory.

After that remove /usr/lib/AntiVir/antivir and reinstall the antivirus
toolkit.

Regards/Casper

On Tue, 2004-01-06 at 00:03, John Stroud wrote:
> I need a little help trying to solve a fedora-related mystery...  I'm hoping someone has seen this or has some magical insight...
> 
> The executable file /usr/bin/AntiVir/antivir (http://www.hbedv.com/) is getting modified sometime during or after the default cron.daily run.  After the cron job the file is 1160 bytes longer than it was prior.  (See [1])
> 
> There are no direct log entries in /var/log/messages indicating why this might be.  Additionally, the timestamp on the file is not changed.  Here is what I find in pertinent areas. Notice the antivir binary runs correctly before the cron job, and fails after... (It's a one hour cron in the root crontab entry, and the preceding 11 runs are all good.) (See [2.1/2.2]
> 
> Some notes on what I've looked at:
> This anomaly occurs on two different Fedora Core 1 + 'yum update' installs using the same tarball to install antivir and the same iso images to install Fedora.  
> 
> One machine is running the AMD kernel, while the other is running i686. (The AMD uname is not included, as I repartioned it and installed RH9, below)
> uname -a
> Linux everwood.amberorder.com 2.4.22-1.2135.nptl #1 Mon Dec 15 15:55:18 EST 2003 i686 i686 i386 GNU/Linux)
> 
> This anomaly does NOT occur on RH9 + 'up2date -u' on 1/3/2004 with AMD kernel.
> uname -a
> Linux serendipity.amberorder.com 2.4.20-27.9 #1 Thu Dec 11 14:01:47 EST 2003 i686 athlon i386 GNU/Linux
> 
> In all corruption cases, copying a backup binary over the corrupted one alleviates the symptom until the next cron.daily runs at ~4:00am local time.
> 
> Any thoughts appreciated... thanks!
> 
> ----------
> 
> [1]
> Prior to event:
> [root at everwood bear]# ls -l /usr/lib/AntiVir/antivir
> -rwx------    1 uucp     uucp       730624 Jan  4 10:28 antivir
> 
> After the mysterious event:
> [root at everwood bear]# ls -l /usr/lib/AntiVir/antivir
> -rwx------    1 uucp     uucp       731784 Jan  4 10:28 antivir
> 
> [2.1]
> LOG:
> tail -n20 /var/log/messages.1
> 
> <Note: antivir checks for previous hourly runs are the same as 7993 below, or it updates itself, if update available>
> Jan  4 03:35:03 everwood antivir[7993]: AntiVir is up-to-date 
> Jan  4 03:44:17 everwood dhcpd: Wrote 4 leases to leases file.
> Jan  4 03:44:17 everwood dhcpd: DHCPREQUEST for 192.168.100.252 from 00:02:2d:28:9a:83 (osprey) via eth0
> Jan  4 03:44:17 everwood dhcpd: DHCPACK on 192.168.100.252 to 00:02:2d:28:9a:83 (osprey) via eth0
> Jan  4 04:02:12 everwood cups: cupsd shutdown succeeded
> Jan  4 04:02:15 everwood modprobe: modprobe: Can't locate module char-major-188
> Jan  4 04:02:15 everwood last message repeated 15 times
> Jan  4 04:02:16 everwood cups: cupsd startup succeeded
> 
> ------------
> [2.2]
> more /var/log/messages
> 
> Jan  4 04:02:17 everwood syslogd 1.4.1: restart.
> Jan  4 04:05:55 everwood init: Trying to re-exec init
> Jan  4 04:35:00 everwood antivir[15093]: Error: integrity selftest FAILED 
> Jan  4 04:35:00 everwood antivir[15093]: Error: unable to initialize engine (/usr/lib/AntiVir/antivir : /usr/lib/AntiVir/antivir.vdf)
> 
> -- 
> John Stroud               Senior System Admin
> Piedmont, CA	          510-501-9173 (Cell)	 
-- 
GPG Public key is available from: http://www.keyserver.net/
Fingerprint = 56ED 74A4 7B00 20E2 B493 0C1A 6B4E BF8F A086 FE57

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040106/f074417f/attachment-0001.sig>


More information about the fedora-list mailing list