dns program not installed through ports showing through ps

[sidetone]

Should I be worried about what's in my ps output?

????  -  Ss      0:00.18 /usr/sbin/syslogd -s
?????  -  Ss      0:18.10 daemon: mosdns: daemon[75392] (daemon)

I don't have mosdns installed through ports/pkg. Everything before this is from the kernel as in between [ ]. There's no other mentions of mosdns, except for my grep command.

?????  -  I       0:00.10 /usr/local/sbin/console-kit-daemon --no-daemon
?????  -  Is      0:00.00 dhclient: system.syslog (dhclient)

chkrootkit | grep INFECTED shows Syslogk LKM rootkit. I saw the thread on this, and it said, not to worry, because the applicable file in its location is a Linux binary. However, I think this was an actual attempt. With the above, how syslog.d is, I'm concerned. less so about console-kit but more about the program not installed through ports.

 

[diizzy]

mosdns appears to be some kind of chinese dns forwarder (it's also in ports tree) but I have no idea what it's supposed to do. I see apparent reason why any other application would bundle this but if you've installed some random stuff off a forum / GitHub you might want to be a bit concerned.

 

[sidetone]

I implied that, haven't installed anything like this in any other way, nor used git to install. Aware of its port, and I didn't install it that way, and it's not listed as an installed port.

I can't find the executable that runs it though several executable directories. It runs as root. I stepped through binaries and looked through with ls. How would I find it?

Didn't find an network process of them either. Sockstat, netstat... How could I find that?

 

[covacat]

try procstat -b $pid
and procstat -v $pid

 

[sidetone]

It was right under my nose...

try procstat -b $pid

? Daemon ? /usr/sbin/daemon

and procstat -v $pid

A lot of stuff shows. under the PATH column, some several times:

• /usr/sbin/daemon
• /lib/libutil.so
• /lib/libc.so.7
• hpet0
• /libexec/ld-elf.so.1

hpet(4) High Precision Event Timer driver. This driver is in /dev/, though that part isn't in the output. Also, kldstat doesn't show hpet. When I try to load/unload, to see if it's loaded, it's not loaded that way. It's not found.

daemon(8) says it runs damons and detaches them. This file is installed on the same date as my other files, I believe though a freebsd-update. It's that the command runs something else that's not in a pkg/port, and which I can't find the name under executable directories.

I found /usr/local/etc/rc.d/mosdns. Pkg which shows nothing found. It shows a file in the typical package location, which it's not there. Maybe that file didn't delete. ls -l shows the rc.d file was created last year. I must have installed and uninstalled it. Why would the process not quit, when the file isn't there? Also, when uninstalling, those files leave.

It's also odd, that I don't have this enabled through any rc.conf

 

[covacat]

a standard rc.d script won't launch if they are not enabled via rc.conf
just look at the script and see if it resembles a standard rc.d script format

 

[SirDice]

I found /usr/local/etc/rc.d/mosdns. Pkg which shows nothing found. It shows a file in the typical package location, which it's not there. Maybe that file didn't delete. ls -l shows the rc.d file was created last year. I must have installed and uninstalled it. Why would the process not quit, when the file isn't there?

dns/mosdns doesn't seem to include a /usr/local/etc/rc.d/mosdns, you may have created this yourself? Removing the port/package would leave it in place, because it wasn't part of the port/package. And the process itself would still be running if you didn't stop it before removal. It would have been loaded in memory and be running, as long as it doesn't need to load anything else the process will just happily keep running.

 

[sidetone]

a standard rc.d script won't launch if they are not enabled via rc.conf
just look at the script and see if it resembles a standard rc.d script format

The script does look normal, but it's not enabled through rc.conf. also, the formatting of the script matches what's shown by ps -x.

ls -l shows that it was installed last year, before anything really crazy went on.

My thoughts is it's either nothing, or something well hidden using legitimate processes, which are started in a nonstandard way. I'd still need to understand why this script was started. I thought though inet.d but it's not there.

I haven't installed and uninstalled anything like this, since I rebooted my computer today.

dns/mosdns doesn't seem to include a /usr/local/etc/rc.d/mosdns, you may have created this yourself?

I didn't write that script. I havent been capable of writing a script like that. For the rest, you're saying if a package installs the script, it removes it when uninstalled? I think that's the case.

But something is running? Bc that process would have terminated, if the program wasn't there?

It could be something bad, hidden like that.

It makes me wonder about that other thread on syslog.d of the Linux binary.

Maybe, I copied it from the Internet, at that time, to try to get something to work, when it was missing a script. I might have, bc I was trying something when this file was made, and I remember how lots of Apache files don't have configurations that they need. That still doesn't seem right.

If it had a /usr/local/share directory file, I would have moved it from there. This is likely what I did, but doesn't explain it starting. But, the package doesn't have that either.

 

[covacat]

can you post the script and something.log from
sh -x /usr/local/etc/rc.d/mosdns start > /tmp/something.log 2>&1

 

[sidetone]

/usr/local/etc/rc.d/mosdns:

#!/bin/sh

# PROVIDE: mosdns
# REQUIRE: SERVERS
# KEYWORD: shutdown

. /etc/rc.subr

name="mosdns"
mosdns_env="IS_DAEMON=1"
pidfile="/var/run/${name}.pid"
command="/usr/sbin/daemon"
daemon_args="-P ${pidfile} -r -t \"${name}: daemon\""
command_args="${daemon_args} /usr/local/bin/mosdns start --as-service -d /usr/local/bin"

run_rc_command "$1"

sh -x /usr/local/etc/rc.d/mosdns start > /tmp/something.log 2>&1

+ . /etc/rc.subr
+ : 48952
+ export RC_PID
+ [ -n '' ]
+ _rc_subr_loaded=YES
+ SYSCTL=/sbin/sysctl
+ SYSCTL_N='/sbin/sysctl -n'
+ SYSCTL_W=/sbin/sysctl
+ PROTECT=/usr/bin/protect
+ ID=/usr/bin/id
+ IDCMD='if [ -x /usr/bin/id ]; then /usr/bin/id -un; fi'
+ PS='/bin/ps -ww'
+ JID=0
+ CPUSET=/bin/cpuset
+ rc_service=/usr/local/etc/rc.d/mosdns
+ _rc_namevarlist='program chroot chdir env flags fib nice user group groups prepend setup'
+ kenv -q rc.debug
+ command -v boottrace
+ boottrace_cmd=/usr/sbin/boottrace
+ [ -n /usr/sbin/boottrace ]
+ /sbin/sysctl -n -q kern.boottrace.enabled
+ [ 0 '=' 1 ]
+ name=mosdns
+ mosdns_env='IS_DAEMON=1'
+ pidfile=/var/run/mosdns.pid
+ command=/usr/sbin/daemon
+ daemon_args='-P /var/run/mosdns.pid -r -t "mosdns: daemon"'
+ command_args='-P /var/run/mosdns.pid -r -t "mosdns: daemon" /usr/local/bin/mosdns start --as-service -d /usr/local/bin'
+ run_rc_command start
+ _return=0
+ rc_arg=start
+ [ -z mosdns ]
+ shift 1
+ rc_extra_args=''
+ _rc_prefix=''
+ eval '_override_command=$mosdns_program'
+ _override_command=''
+ command=/usr/sbin/daemon
+ _keywords='start stop restart rcvar enable disable delete enabled describe extracommands '
+ rc_pid=''
+ _pidcmd=''
+ _procname=/usr/sbin/daemon
+ eval '_cpuset=$mosdns_cpuset'
+ _cpuset=''
+ _cpuset=''
+ _cpusetcmd=''
+ [ -n '' ]
+ [ -n /usr/sbin/daemon ]
+ [ -n /var/run/mosdns.pid ]
+ _pidcmd='rc_pid=$(check_pidfile /var/run/mosdns.pid /usr/sbin/daemon )'
+ _keywords='start stop restart rcvar enable disable delete enabled describe extracommands  status poll'
+ [ -z start ]
+ [ start '=' enabled ]
+ [ -n '' ]
+ eval 'rc_flags=$mosdns_flags'
+ rc_flags=''
+ eval '_chdir=$mosdns_chdir' '_chroot=$mosdns_chroot' '_nice=$mosdns_nice' '_user=$mosdns_user' '_group=$mosdns_group' '_groups=$mosdns_groups' '_fib=$mosdns_fib' '_env=$mosdns_env' '_prepend=$mosdns_prepend' '_login_class=${mosdns_login_class:-daemon}' '_limits=$mosdns_limits' '_oomprotect=$mosdns_oomprotect' '_setup=$mosdns_setup' '_env_file=$mosdns_env_file' '_umask=$mosdns_umask'
+ _chdir='' _chroot='' _nice='' _user='' _group='' _groups='' _fib='' _env='IS_DAEMON=1' _prepend='' _login_class=daemon _limits='' _oomprotect='' _setup='' _env_file='' _umask=''
+ [ -n '' ]
+ [ -n '' ]
+ [ -z '' ]
+ eval 'rc_pid=$(check_pidfile' /var/run/mosdns.pid /usr/sbin/daemon ')'
+ check_pidfile /var/run/mosdns.pid /usr/sbin/daemon
+ _pidfile=/var/run/mosdns.pid
+ _procname=/usr/sbin/daemon
+ _interpreter=''
+ [ -z /var/run/mosdns.pid -o -z /usr/sbin/daemon ]
+ [ ! -f /var/run/mosdns.pid ]
+ read _pid _junk
+ [ -z 11236 ]
+ _find_processes /usr/sbin/daemon . '-p 11236'
+ [ 3 -ne 3 ]
+ _procname=/usr/sbin/daemon
+ _interpreter=.
+ _psargs='-p 11236'
+ _pref=''
+ [ . '!=' . ]
+ _procnamebn=daemon
+ _fp_args='_arg0 _argv'
+ _fp_match=$'case "$_arg0" in
\t\t    $_procname|$_procnamebn|${_procnamebn}:|"(${_procnamebn})"|"[${_procnamebn}]")'
+ _proccheck=$'\t\t/bin/ps -ww 2>/dev/null -o pid= -o jid= -o command= -p 11236 |
\t\twhile read _npid _jid _arg0 _argv; do
\t\t\tcase "$_arg0" in
\t\t    $_procname|$_procnamebn|${_procnamebn}:|"(${_procnamebn})"|"[${_procnamebn}]")
\t\t\t\tif [ "$JID" -eq "$_jid" ];
\t\t\t\tthen echo -n "$_pref$_npid";
\t\t\t\t_pref=" ";
\t\t\t\tfi
\t\t\t\t;;
\t\t\tesac
\t\tdone'
+ eval /bin/ps -ww '2>/dev/null' -o 'pid=' -o 'jid=' -o 'command=' -p 11236 '|' while read _npid _jid _arg0 '_argv;' do case '"$_arg0"' in '$_procname|$_procnamebn|${_procnamebn}:|"(${_procnamebn})"|"[${_procnamebn}]")' if [ '"$JID"' -eq '"$_jid"' '];' then echo -n '"$_pref$_npid";' '_pref="' '";' fi ';;' esac done
+ /bin/ps -ww -o 'pid=' -o 'jid=' -o 'command=' -p 11236
+ read _npid _jid _arg0 _argv
+ [ 0 -eq 0 ]
+ echo -n 11236
+ _pref=' '
+ read _npid _jid _arg0 _argv
+ rc_pid=11236
+ [ start '!=' start ]
+ [ -n '' -a start '!=' rcvar -a start '!=' stop -a start '!=' delete -a start '!=' enable -a start '!=' describe -a start '!=' status ]
+ [ -n '' -a start '=' stop -a -z 11236 ]
+ [ start '=' start -a -z '' -a -n 11236 ]
+ [ -z '' ]
+ echo 'mosdns already running? ' '(pid=11236).'
mosdns already running?  (pid=11236).
+ return 1

Bash on the command line was needed for that full command, including the redirection of that output to a file, to work.

The command without the redirect let Csh also show the full output: the redirect part wasn't compatible with it put to it into a file. Running part of that command under sh and similar result under mksh: sh: cannot open /usr/local/etc/rc.d/mosdns.start: No such file or directory.

 

[sidetone]

a standard rc.d script won't launch if they are not enabled via rc.conf
just look at the script and see if it resembles a standard rc.d script format

Or rc.conf.local. According to, http://www.defcon1.org/html/rc-local.html, /etc/rc searches /usr/local/etc/rc.d and executes them. According to that, it being under that directory would be why it was started, but those still need rc.conf to start them. Everything else in that directory which isn't installed, and which isn't referenced in rc.conf.local/rc.conf or inetd.conf isn't started. Still, some answer might be in that article. I grepped for mosdns, and couldn't find it.

I was able to stop mosdns, by using service mosdns stop, even though there was no rc.conf reference. Those started manually without rc.conf need onestop, instead of stop. Everything seems right that this could be started, except this was started manually, and not through inetd.conf, and that this wasn't installed as part of a package (unless if I installed and removed this package, between when this file was removed, which the version I had installed would have removed it too).

When I stopped and started it using service, I got the repeating: daemon: /usr/local/bin/mosdns: No such file or directory. I was able to type the command to stop it, as the output didn't interfere with my input, though visually it does. Moving this file and after reboot, this doesn't start as expected. So my computer is good here, though I'm curious why this is here like that.

Aside from that, my intended custom, including copied and not installed by ports, /etc/ files are going into /opt/etc/ from now on regardless if /opt/ isn't standard for FreeBSD. If I can figure out how to make rc.conf.local make use of /opt/etc/rc.d. Not much current need for that.

 

[covacat]

the auto start without rc.conf setting works because the script has no rcvar setting (like rcvar="mosdns_enable"

 

[SirDice]

Bc that process would have terminated, if the program wasn't there?

Nope. You can start a process, delete the executable and the process will just keep running. Why would the process be terminated?

 

[sidetone]

Nope. You can start a process, delete the executable and the process will just keep running. Why would the process be terminated?

If the executable isn't there to begin with, the daemon doesn't start. That start process terminates. But the program here is the script that tries to start the daemon. The code that asks it to run, keeps repeating, bc what it's looking for isn't there.

 

[freezmi]

do I understand correctly, you restart your PC and the mosdns process is magically there, but the mosdns binary is not?

if that is the case, modify an /etc/ (not /usr/local/etc) rc script to make a copy of the missing binary on a different filesystem for analysis. reboot.

I had a dilemma like this one in Linux when an old process was seeing the mount points differently - in your case maybe /usr/local is mounted later during the boot process - the binary can be present in the underlying /, but currently mounted over by a different filesystem that does not have it. quite a long shot.

 

[sidetone]

The script to start mosdns is started without the binary. That part you have correct. It's the script process that runs and stays on. This script is started from being in /usr/local/etc/ without being in rc.conf:

the auto start without rc.conf setting works because the script has no rcvar setting (like rcvar="mosdns_enable"

May explain that.

This script isn't tailored to FreeBSD. I either put it there, or it was a malicious attempt by someone else, which they're used to Linux. It's all from the /usr/local/ directories.

Testing process of why that script is there and how it works.

 

[freezmi]

ah, ok. no mystery then

truss -s1000 -f -p insert_daemon_pid_here

would have shown the process trying to execute the missing binary every second or so.
the rc script did not have --syslog enabled so it was silently trying to restart a binary that does not exist.

malicious daemons usually do something more involved and often cpu intensive, like mining on your hardware ask me how I know.