chkrootkit: scans remote shares, causing excessive NFS traffic

Johann C. Rocholl debian at jogg.de
Sun Oct 28 16:00:59 UTC 2007 

Package: chkrootkit
Version: 0.47-1build1
Severity: normal
Tags: patch

I have an NFS share mounted under /var. The daily run of chkrootkit 
produces a lot of NFS traffic with the following command:

/usr/bin/find /dev /tmp /lib /etc /var ! -fstype nfs ( -name tcp.log
-o -name .linux-sniff -o -name sniff-l0g -o -name core_ ) 2>/dev/null

The problem seems to be that "! -fstype nfs" still descends into NFS
mounts, it only ignores all the files that it finds there. You have to
use -prune to stop it from descending into NFS mounts. The attached 
patch does that.

The NFS scan is a serious problem because I have 300 GB in small
files on that share, so I get 600 requests/sec for a full hour.

-- System Information:
Debian Release: 4.0
  APT prefers feisty-updates
  APT policy: (500, 'feisty-updates'), (500, 'feisty-security'), (500, 'feisty')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.20-16-server
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages chkrootkit depends on:
ii  binutils       2.17.20070103cvs-0ubuntu2 The GNU assembler, linker and bina
ii  debconf [debco 1.5.13ubuntu1             Debian configuration management sy
ii  libc6          2.5-0ubuntu14             GNU C Library: Shared libraries
ii  net-tools      1.60-17ubuntu1            The NET-3 networking toolkit
ii  procps         1:3.2.7-3ubuntu2          /proc file system utilities

chkrootkit recommends no packages.

-- debconf information excluded
-------------- next part --------------
--- chkrootkit.orig	2007-10-28 09:24:34.000000000 -0400
+++ chkrootkit.patched	2007-10-28 09:24:15.000000000 -0400
@@ -1176,12 +1176,9 @@
 {
    ## Check if -fstype nfs works
    findargs=""
-   if find /etc -maxdepth 0 >/dev/null 2>&1; then
-        find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
-           findargs="! -fstype nfs "
-   elif find /etc -prune > /dev/null 2>&1; then
+   if find /etc -prune > /dev/null 2>&1; then
         find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
-           findargs="! -fstype nfs "
+           findargs="-fstype nfs -prune -false -o"
    fi
 }

More information about the ubuntu-users mailing list