-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El Lunes, 2 de Febrero de 2004 21:37, miguel calero escribió:
Alquien puede traducir esto a un lenguaje cristiano? Es decir, no al castellano, sino al no/tecnico. No uso apt, pero tengo verdadera curiosidad!
* Es un falso positivo, - ---------------------------------------------------------------- I think this is a false positive from chkrootkit. I downloaded the ps package from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed there is "/prof" string in ps and top. But this is ok. The string is inside .text and is executable code. This is: ... 0x8055205: call 0x8049700 strtoul() 0x805520a: mov 0xc(%ebp),%edx 0x805520d: mov %eax,0x1b8(%edx) 0x8055213: mov %eax,(%edx) 0x8055215: movl $0x6f72702f,(%esi) ; /prof 0x805521b: movw $0x2f63,0x4(%esi) 0x8055221: mov 0x226fc(%ebx),%eax 0x8055227: add $0xb,%eax 0x805522a: mov %eax,0x4(%esp,1) 0x805522e: lea 0x6(%esi),%eax 0x8055231: mov %eax,(%esp,1) 0x8055234: call 0x8049780 strcpy() ... The code in C is: pid = strtoul(ent->d_name, NULL, 10); memcpy(path, "/proc/", 6); strcpy(path+6, ent->d_name); and comes from the original ps source. The compiler optimized the memcpy() into a movl+movw since /pro is 32 bit and the left 2 byte are copied via movw. This just yields "/prof" string in .text. regards, Sebastian - - ---------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHsLMAXFL65CppEIRAoYaAJ4scGzpPpqog9UBHdQNMnsM1VdvOwCdHwth aHq1uiKWtdQ3MvfQEI8//WI= =xn7f -----END PGP SIGNATURE-----