Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <41BEDCC2.8070904@x-ray.at>
Date: Tue, 14 Dec 2004 13:29:54 +0100
From: Reini Urban <rurban AT x-ray DOT at>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.8a4) Gecko/20040927
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [Bug Cygwin Applications/575] Unknown HZ value! message from procps commands
References: <E1Ce8rV-0005oA-00 AT mailhub-01 DOT inode DOT at>
In-Reply-To: <E1Ce8rV-0005oA-00@mailhub-01.inode.at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Chris January schrieb:
>>>>>>>Volker Zell writes:
>>>>>>>Chris January writes:
>>    >> In both cases what is the actual value of HZ you are seeing?
>>    > 01:02 AM [555]> w
>>    > Unknown HZ value! (483) Assume 100.

That's unrelated, but interesting, because I got rooted yesterday on 
some linux box (a new t0rnkit with some libsh), which had some libproc 
hack (process hiding), which led to the same error message on the procps 
utils.
   "Unknown HZ value! (11) Assume 100"

At least it was very easy to fix without reinstall. ttyload got hijacked 
(right after mingetty loading). rootkit in /usr/lib/libsh (hidden of 
course). But he forgot to hijack lsof. So lsof|grep LISTEN showed the 
intruder.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/