Mysterious file corruption after cron.daily execution

John Stroud bear at amberorder.com
Mon Jan 5 23:03:22 UTC 2004


I need a little help trying to solve a fedora-related mystery...  I'm hoping someone has seen this or has some magical insight...

The executable file /usr/bin/AntiVir/antivir (http://www.hbedv.com/) is getting modified sometime during or after the default cron.daily run.  After the cron job the file is 1160 bytes longer than it was prior.  (See [1])

There are no direct log entries in /var/log/messages indicating why this might be.  Additionally, the timestamp on the file is not changed.  Here is what I find in pertinent areas. Notice the antivir binary runs correctly before the cron job, and fails after... (It's a one hour cron in the root crontab entry, and the preceding 11 runs are all good.) (See [2.1/2.2]

Some notes on what I've looked at:
This anomaly occurs on two different Fedora Core 1 + 'yum update' installs using the same tarball to install antivir and the same iso images to install Fedora.  

One machine is running the AMD kernel, while the other is running i686. (The AMD uname is not included, as I repartioned it and installed RH9, below)
uname -a
Linux everwood.amberorder.com 2.4.22-1.2135.nptl #1 Mon Dec 15 15:55:18 EST 2003 i686 i686 i386 GNU/Linux)

This anomaly does NOT occur on RH9 + 'up2date -u' on 1/3/2004 with AMD kernel.
uname -a
Linux serendipity.amberorder.com 2.4.20-27.9 #1 Thu Dec 11 14:01:47 EST 2003 i686 athlon i386 GNU/Linux

In all corruption cases, copying a backup binary over the corrupted one alleviates the symptom until the next cron.daily runs at ~4:00am local time.

Any thoughts appreciated... thanks!

----------

[1]
Prior to event:
[root at everwood bear]# ls -l /usr/lib/AntiVir/antivir
-rwx------    1 uucp     uucp       730624 Jan  4 10:28 antivir

After the mysterious event:
[root at everwood bear]# ls -l /usr/lib/AntiVir/antivir
-rwx------    1 uucp     uucp       731784 Jan  4 10:28 antivir

[2.1]
LOG:
tail -n20 /var/log/messages.1

<Note: antivir checks for previous hourly runs are the same as 7993 below, or it updates itself, if update available>
Jan  4 03:35:03 everwood antivir[7993]: AntiVir is up-to-date 
Jan  4 03:44:17 everwood dhcpd: Wrote 4 leases to leases file.
Jan  4 03:44:17 everwood dhcpd: DHCPREQUEST for 192.168.100.252 from 00:02:2d:28:9a:83 (osprey) via eth0
Jan  4 03:44:17 everwood dhcpd: DHCPACK on 192.168.100.252 to 00:02:2d:28:9a:83 (osprey) via eth0
Jan  4 04:02:12 everwood cups: cupsd shutdown succeeded
Jan  4 04:02:15 everwood modprobe: modprobe: Can't locate module char-major-188
Jan  4 04:02:15 everwood last message repeated 15 times
Jan  4 04:02:16 everwood cups: cupsd startup succeeded

------------
[2.2]
more /var/log/messages

Jan  4 04:02:17 everwood syslogd 1.4.1: restart.
Jan  4 04:05:55 everwood init: Trying to re-exec init
Jan  4 04:35:00 everwood antivir[15093]: Error: integrity selftest FAILED 
Jan  4 04:35:00 everwood antivir[15093]: Error: unable to initialize engine (/usr/lib/AntiVir/antivir : /usr/lib/AntiVir/antivir.vdf)

-- 
John Stroud               Senior System Admin
Piedmont, CA	          510-501-9173 (Cell)	 





More information about the fedora-list mailing list