salzman@RAND.ORG (Isaac) (11/05/88)
Hi again folks! I've had some mild success at poking inside the virus using Sun's trace command on a Sun 3/50 running SunOS4.0. YP had to be shutdown for this to be usefull and of course all routes were deleted so it couldn't propagate anywhere outside the machine. This machine had a relatively small /etc/hosts and /etc/passwd file so it did its thing pretty quickly. To really see what it's doing the best scenario would be to run it on a network with a very small number of other machines (and no gateways to other nets!) to give it a chance to actually connect to something. What I did get was interesting though it only tells only a partial story. Keeping up with it was tricky since it would fork occasionally and exit, so I'd have to start trace up and attach to that new process pretty quickly to see anything happen. In this run it didn't look for individual .rhosts files (though it looked at .forward files). My feeling is that it would look at .rhosts after it's cracked the password for that person. It's not clear from this where password cracking would happen either since a lot of that doesn't require system calls. We have a disassembly of the thing as well and it's got a few of its own routines to do password cracking (replacements for stuff allready resident in UNIX). So here are some excerpts from trace with some redunancy edited out and some comments embedded comments. Enjoy!! 13:20:35 gettimeofday (0xefffce0, 0) = 0 13:20:36 getpagesize () = 8192 13:20:36 brk (0x29298) = 0 13:20:36 brk (0x2b29c) = 0 13:20:36 setrlimit (4, 0xefffcf4) = 0 13:20:36 sigvec (13, 0xefffcac, 0xefffcd8) = 0 13:20:36 open ("x15053677,vax.o", 0, 06) = 3 13:20:36 fstat (3, 0xefffca4) = 0 13:20:36 brk (0x3729c) = 0 13:20:36 read (3, "".., 45734) = 45734 13:20:37 close (3) = 0 13:20:38 unlink ("x15053677,vax.o") = 0 13:20:38 open ("x15901447,sun3.o", 0, 06) = 3 13:20:38 fstat (3, 0xefffca4) = 0 13:20:38 brk (0x4329c) = 0 13:20:38 read (3, "".., 47165) = 47165 13:20:38 close (3) = 0 13:20:39 unlink ("x15901447,sun3.o") = 0 13:20:39 open ("x11091853,l1.c", 0, 06) = 3 13:20:39 fstat (3, 0xefffca4) = 0 13:20:39 read (3, "#include <stdio.h>\n#include <sys".., 1542) = 1542 13:20:39 close (3) = 0 13:20:39 unlink ("x11091853,l1.c") = 0 13:20:39 close (0) = 0 13:20:39 close (1) = 0 13:20:39 close (2) = 0 13:20:39 close (3) = -1 EBADF (Bad file number) . . 13:20:39 close (31) = -1 EBADF (Bad file number) 13:20:39 unlink ("sh") = 0 13:20:40 unlink ("sh") = -1 ENOENT (No such file or directory) # unlink itself and make sure it was done! 13:20:40 unlink ("/tmp/.dumb") = -1 ENOENT (No such file or directory) 13:20:40 socket (2, 1, 0) = 0 13:20:40 ioctl (0, 0xc0086914, 0xefffce4) = 0 13:20:40 ioctl (0, 0xc0206911, 0xefffb34) = 0 13:20:40 ioctl (0, 0xc020690d, 0xefffb34) = 0 13:20:40 ioctl (0, 0xc0206919, 0xefffb34) = 0 13:20:40 ioctl (0, 0xc0206911, 0xefffb34) = 0 13:20:40 ioctl (0, 0xc020690d, 0xefffb34) = 0 13:20:40 getpid () = 6077 13:20:40 getpgrp (6077) = 6076 13:20:40 kill (70, 9) = -1 EPERM (Not owner) # kill its parent process (i gave it a pid it couldn't kill) 13:20:40 gettimeofday (0xefffccc, 0) = 0 13:20:40 getdtablesize () = 64 13:20:40 pipe (0xefffccc) = 1 13:20:40 vfork () = 6079 13:20:40 close (2) = 0 13:20:40 getdtablesize () = 64 13:20:40 ioctl (1, 0x40125401, 0xefffae4) = -1 EOPNOTSUPP (Operation not supported on socket) 13:20:40 fstat (1, 0xefffb10) = 0 13:20:41 read (1, "Routing tables\nDestination ".., 4096) = 167 # this is output from "netstat -r" 13:20:44 read (1, "", 4096) = 0 13:20:44 - SIGCHLD (20) 13:20:44 close (1) = 0 13:20:44 sigblock (0x7) = 0 13:20:44 wait4 (0, 0xefffb78, 0, 0) = 6079 13:20:44 sigsetmask (0) = 0x7 13:20:44 open ("/etc/hosts", 0, 0666) = 1 13:20:44 lseek (1, 0, 0) = 0 13:20:44 getdomainname ("".., 256) = 0 13:20:44 getpid () = 6077 13:20:44 open ("/var/yp/binding/isltest.rand.org".., 0, 0) = 2 13:20:44 flock (2, 06) = 0 13:20:44 close (2) = 0 13:20:44 socket (2, 1, 0) = 2 13:20:45 connect (2, "".., 16) = 0 13:20:45 close (2) = 0 13:20:45 gettimeofday (0xefff9f4, 0) = 0 13:20:45 getpid () = 6077 13:20:45 socket (2, 2, 17) = 2 13:20:45 getpid () = 6077 13:20:45 bind (2, "".., 16) = -1 EACCES (Permission denied) 13:20:45 ioctl (2, 0x8004667e, 0xefff9c0) = 0 13:20:45 sendto (2, "".., 56, 0, 0x42a84, 16) = 56 13:20:45 getdtablesize () = 64 13:20:45 select (64, 0xefff9dc, 0, 0, 0x42a98) = 1 13:20:45 recvfrom (2, "".., 400, 0, 0xefff9ac, 0xefff9fc) = 28 13:20:45 close (2) = 0 13:20:45 close (2) = -1 EBADF (Bad file number) 13:20:45 socket (2, 2, 0) = 2 13:20:45 bind (2, "".., 16) = 0 13:20:45 close (2) = 0 13:20:45 ioctl (1, 0x40125401, 0xefffaa0) = -1 ENOTTY (Inappropriate ioctl for device) 13:20:45 fstat (1, 0xefffacc) = 0 13:20:45 brk (0x4729c) = 0 13:20:45 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:45 read (1, "", 8192) = 0 13:20:45 pipe (0x1) = 2 13:20:45 vfork () = 6081 13:20:45 close (3) = 0 13:20:45 ioctl (2, 0x40125401, 0xefff948) = -1 EOPNOTSUPP (Operation not supported on socket) 13:20:46 fstat (2, 0xefff974) = 0 13:20:46 read (2, "Routing tables\nDestination ".., 4096) = 167 13:20:47 read (2, "", 4096) = 0 13:20:47 close (2) = 0 13:20:48 - SIGCHLD (20) 13:20:48 sigblock (0x7) = 0 13:20:48 wait4 (0, 0xefff9dc, 0, 0) = 6081 13:20:48 sigsetmask (0) = 0x7 13:20:48 lseek (1, 0, 0) = 0 13:20:48 lseek (1, 0, 0) = 0 13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:48 read (1, "", 8192) = 0 13:20:48 open ("/etc/hosts.equiv", 0, 0666) = 2 13:20:48 close (2) = 0 13:20:48 open ("/.rhosts", 0, 0666) = 2 13:20:48 ioctl (2, 0x40125401, 0xefff808) = -1 ENOTTY (Inappropriate ioctl for device) 13:20:48 fstat (2, 0xefff834) = 0 13:20:48 read (2, "owl\nrand-unix.arpa\n", 8192) = 19 13:20:48 lseek (1, 0, 0) = 0 13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:48 lseek (1, 0, 0) = 0 13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:48 lseek (1, 0, 0) = 0 13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:48 lseek (1, 0, 0) = 0 13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:48 lseek (1, 0, 0) = 0 13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:48 read (2, "", 8192) = 0 13:20:48 close (2) = 0 13:20:48 open ("/etc/passwd", 0, 0666) = 2 13:20:49 ioctl (2, 0x40125401, 0xefff3e8) = -1 ENOTTY (Inappropriate ioctl for device) 13:20:49 fstat (2, 0xefff414) = 0 13:20:49 read (2, "root:***sorry***:0:1:Operator:".., 8192) = 714 13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("/bin/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("/var/spool/uucppublic/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("/u/oper/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("/var/spool/news/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("/usr/ingres/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:50 open ("/usr/diag/sysdiag/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:50 open ("/home/terry/.forward", 0, 0666) = 3 13:20:50 ioctl (3, 0x40125401, 0xefff808) = -1 ENOTTY (Inappropriate ioctl for device) 13:20:50 fstat (3, 0xefff834) = 0 13:20:50 brk (0x4b29c) = 0 13:20:50 read (3, "terry@zoo\n", 8192) = 10 13:20:50 lseek (1, 0, 0) = 0 13:20:50 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:50 read (3, "", 8192) = 0 13:20:50 close (3) = 0 13:20:50 open ("/home/guyton/.forward", 0, 0666) = 3 13:20:50 ioctl (3, 0x40125401, 0xefff808) = -1 ENOTTY (Inappropriate ioctl for device) 13:20:50 fstat (3, 0xefff834) = 0 13:20:50 read (3, "guyton@condor\n", 8192) = 14 13:20:50 lseek (1, 0, 0) = 0 13:20:50 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:20:50 read (3, "", 8192) = 0 13:20:50 close (3) = 0 13:20:50 open ("/home/salzman/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:51 open ("/home/edhall/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:51 open ("/home/jim/.forward", 0, 0666) = -1 ENOENT (No such file or directory) 13:20:51 getpid () = 6077 13:20:51 open ("/var/yp/binding/isltest.rand.org".., 0, 0) = 3 13:20:51 flock (3, 06) = 0 13:20:51 close (3) = 0 13:20:51 socket (2, 1, 0) = 3 13:20:51 connect (3, "".., 16) = 0 13:20:51 close (3) = 0 13:20:51 gettimeofday (0xefff374, 0) = 0 13:20:51 getpid () = 6077 13:20:51 socket (2, 2, 17) = 3 13:20:51 bind (3, "".., 16) = -1 EACCES (Permission denied) 13:20:51 ioctl (3, 0x8004667e, 0xefff340) = 0 13:20:51 sendto (3, "".., 56, 0, 0x27aa8, 16) = 56 13:20:51 select (64, 0xefff35c, 0, 0, 0x27abc) = 1 13:20:51 recvfrom (3, "".., 400, 0, 0xefff32c, 0xefff37c) = 28 13:20:51 close (3) = 0 13:20:51 close (3) = -1 EBADF (Bad file number) 13:20:51 socket (2, 2, 0) = 3 13:20:51 bind (3, "".., 16) = 0 13:20:51 close (3) = 0 13:20:51 read (2, "", 8192) = 0 13:20:51 close (2) = 0 13:20:51 setitimer (0, 0xefffc9c, 0xefffc8c) = 0 13:20:51 sigvec (14, 0xefffc50, 0xefffc74) = 0 13:20:51 sigblock (0x2000) = 0 13:20:51 setitimer (0, 0xefffc9c, 0) = 0 13:20:51 sigpause (0) = -1 EINTR (Interrupted system call) 13:21:21 - SIGALRM (14) 13:21:21 sigcleanup () = 0 13:21:21 sigvec (14, 0xefffc50, 0) = 0 13:21:21 sigsetmask (0) = 0x2000 13:21:22 setitimer (0, 0xefffc8c, 0) = 0 13:21:23 fork () = 6083 13:21:23 close (0) = 0 13:21:23 close (1) = 0 13:21:23 close (2) = -1 EBADF (Bad file number) 13:21:23 close (1) = -1 EBADF (Bad file number) 13:21:23 exit (0) = ? # now for the forked process.... # I missed a good 6 seconds of stuff here... # notice the "ENETUNREACH" errno's since I deleted all the routes # (as our ``friendly'' virus attempts to propagate 13:21:29 sigpause (0) = -1 EINTR (Interrupted system call) 13:21:29 - SIGALRM (14) 13:21:29 sigcleanup () = 0 13:21:30 sigvec (14, 0xefffc1c, 0) = 0 13:21:30 sigsetmask (0) = 0 13:21:30 setitimer (0, 0xefffc58, 0) = 0 13:21:30 wait4 (0, 0, 0x1, 0) = 6086 13:21:30 sigvec (14, 0xefff820, 0xefff84c) = 0 13:21:30 socket (2, 1, 0) = 2 13:21:30 setitimer (0, 0xefff84c, 0xefff83c) = 0 13:21:30 connect (2, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:30 setitimer (0, 0xefff84c, 0xefff83c) = 0 13:21:30 close (2) = 0 13:21:30 socket (2, 1, 0) = 2 13:21:30 connect (2, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:30 close (2) = 0 13:21:30 socket (2, 1, 0) = 2 13:21:30 bind (2, "".., 16) = 0 13:21:30 listen (2, 10) = 0 13:21:30 sigvec (14, 0xefffa30, 0xefffa5c) = 0 13:21:30 socket (2, 1, 0) = 3 13:21:30 setitimer (0, 0xefffa5c, 0xefffa4c) = 0 13:21:30 connect (3, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:30 setitimer (0, 0xefffa5c, 0xefffa4c) = 0 13:21:30 close (3) = 0 13:21:30 setitimer (0, 0xefffc78, 0xefffc68) = 0 13:21:30 sigvec (14, 0xefffc2c, 0xefffc50) = 0 13:21:30 sigblock (0x2000) = 0 13:21:30 setitimer (0, 0xefffc78, 0) = 0 13:21:30 sigpause (0) = -1 EINTR (Interrupted system call) 13:21:31 - SIGALRM (14) 13:21:31 sigcleanup () = 0 13:21:31 sigvec (14, 0xefffc2c, 0) = 0 13:21:31 sigsetmask (0) = 0x2000 13:21:31 setitimer (0, 0xefffc68, 0) = 0 13:21:31 pipe (0) = 3 13:21:31 pipe (0) = 5 13:21:31 fork () = 6088 13:21:31 close (3) = 0 13:21:31 close (6) = 0 13:21:31 write (4, "\n/bin/echo 6480629\n", 19) = 19 13:21:31 select (6, 0xefff96c, 0, 0, 0xefff964) = 1 13:21:32 read (5, "", 1) = 0 13:21:32 close (5) = 0 13:21:32 close (4) = 0 13:21:32 kill (6088, 9) = 0 13:21:32 setitimer (0, 0xefffc68, 0xefffc58) = 0 13:21:32 - SIGCHLD (20) 13:21:32 sigvec (14, 0xefffc1c, 0xefffc40) = 0 13:21:32 sigblock (0x2000) = 0 13:21:32 setitimer (0, 0xefffc68, 0) = 0 13:21:32 sigpause (0) = -1 EINTR (Interrupted system call) 13:21:33 - SIGALRM (14) 13:21:33 sigcleanup () = 0 13:21:33 sigvec (14, 0xefffc1c, 0) = 0 13:21:33 sigsetmask (0) = 0x2000 13:21:33 setitimer (0, 0xefffc58, 0) = 0 13:21:33 wait4 (0, 0, 0x1, 0) = 6088 13:21:33 sigvec (14, 0xefff820, 0xefff84c) = 0 13:21:33 socket (2, 1, 0) = 3 13:21:33 setitimer (0, 0xefff84c, 0xefff83c) = 0 13:21:33 connect (3, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:33 setitimer (0, 0xefff84c, 0xefff83c) = 0 13:21:33 close (3) = 0 13:21:33 socket (2, 1, 0) = 3 13:21:33 connect (3, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:33 close (3) = 0 13:21:33 socket (2, 1, 0) = 3 13:21:33 bind (3, "".., 16) = 0 13:21:33 listen (3, 10) = 0 13:21:33 sigvec (14, 0xefffa30, 0xefffa5c) = 0 13:21:33 socket (2, 1, 0) = 4 13:21:33 setitimer (0, 0xefffa5c, 0xefffa4c) = 0 13:21:33 connect (4, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:33 setitimer (0, 0xefffa5c, 0xefffa4c) = 0 13:21:33 close (4) = 0 13:21:33 setitimer (0, 0xefffc78, 0xefffc68) = 0 13:21:33 sigvec (14, 0xefffc2c, 0xefffc50) = 0 13:21:33 sigblock (0x2000) = 0 13:21:33 setitimer (0, 0xefffc78, 0) = 0 13:21:33 sigpause (0) = -1 EINTR (Interrupted system call) 13:21:34 - SIGALRM (14) 13:21:34 sigcleanup () = 0 13:21:34 sigvec (14, 0xefffc2c, 0) = 0 13:21:34 sigsetmask (0) = 0x2000 13:21:34 setitimer (0, 0xefffc68, 0) = 0 13:21:34 pipe (0) = 4 13:21:34 pipe (0) = 6 13:21:34 fork () = 6089 13:21:34 close (4) = 0 13:21:34 close (7) = 0 13:21:34 write (5, "\n/bin/echo 6541524\n", 19) = 19 13:21:34 select (7, 0xefff96c, 0, 0, 0xefff964) = 1 13:21:35 read (6, "", 1) = 0 13:21:35 close (6) = 0 13:21:35 close (5) = 0 13:21:35 - SIGCHLD (20) 13:21:35 kill (6089, 9) = -1 ESRCH (No such process) 13:21:35 setitimer (0, 0xefffc68, 0xefffc58) = 0 13:21:35 sigvec (14, 0xefffc1c, 0xefffc40) = 0 13:21:35 sigblock (0x2000) = 0 13:21:35 setitimer (0, 0xefffc68, 0) = 0 13:21:35 sigpause (0) = -1 EINTR (Interrupted system call) 13:21:36 - SIGALRM (14) 13:21:36 sigcleanup () = 0 13:21:36 sigvec (14, 0xefffc1c, 0) = 0 13:21:36 sigsetmask (0) = 0x2000 13:21:36 setitimer (0, 0xefffc58, 0) = 0 13:21:36 wait4 (0, 0, 0x1, 0) = 6089 13:21:36 sigvec (14, 0xefff820, 0xefff84c) = 0 13:21:36 socket (2, 1, 0) = 4 13:21:36 setitimer (0, 0xefff84c, 0xefff83c) = 0 13:21:36 connect (4, "".., 16) = -1 ENETUNREACH (Network is unreachable) 13:21:40 setitimer (0, 0xefffa5c, 0xefffa4c) = 0 13:21:40 close (6) = 0 13:21:40 pipe (0x6) = 6 13:21:40 vfork () = 6092 13:21:40 close (7) = 0 13:21:40 ioctl (6, 0x40125401, 0xefff948) = -1 EOPNOTSUPP (Operation not supported on socket) 13:21:40 fstat (6, 0xefff974) = 0 13:21:41 read (6, "Routing tables\nDestination ".., 4096) = 167 13:21:44 read (6, "", 4096) = 0 13:21:44 - SIGCHLD (20) 13:21:44 close (6) = 0 13:21:44 sigblock (0x7) = 0 13:21:44 wait4 (0, 0xefff9dc, 0, 0) = 6092 13:21:44 sigsetmask (0) = 0x7 13:21:44 lseek (1, 0, 0) = 0 13:21:44 lseek (1, 0, 0) = 0 13:21:44 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:21:45 read (1, "", 8192) = 0 13:21:45 setitimer (0, 0xefffc9c, 0xefffc8c) = 0 13:21:45 sigvec (14, 0xefffc50, 0xefffc74) = 0 13:21:45 sigblock (0x2000) = 0 13:21:45 setitimer (0, 0xefffc9c, 0) = 0 13:21:45 sigpause (0) = -1 EINTR (Interrupted system call) 13:23:45 - SIGALRM (14) 13:23:45 sigcleanup () = 0 13:23:45 sigvec (14, 0xefffc50, 0) = 0 13:23:45 sigsetmask (0) = 0x2000 13:23:45 setitimer (0, 0xefffc8c, 0) = 0 13:23:45 gettimeofday (0xefffccc, 0) = 0 13:23:46 setitimer (0, 0xefffc9c, 0xefffc8c) = 0 13:23:46 sigvec (14, 0xefffc50, 0xefffc74) = 0 13:23:46 sigblock (0x2000) = 0 13:23:46 setitimer (0, 0xefffc9c, 0) = 0 13:23:46 sigpause (0) = -1 EINTR (Interrupted system call) 13:24:16 - SIGALRM (14) 13:24:16 sigcleanup () = 0 13:24:16 sigvec (14, 0xefffc50, 0) = 0 13:24:16 sigsetmask (0) = 0x2000 13:24:16 setitimer (0, 0xefffc8c, 0) = 0 13:24:17 fork () = 6094 13:24:17 close (0) = 0 13:24:17 close (1) = 0 13:24:17 close (2) = 0 13:24:17 close (1) = -1 EBADF (Bad file number) 13:24:17 exit (0) = ? # and another - there are a couple more that look like this but # it was getting boring since it had no where to go.... 13:24:21 read (6, "Routing tables\nDestination ".., 4096) = 167 13:24:22 read (6, "", 4096) = 0 13:24:22 close (6) = 0 13:24:22 - SIGCHLD (20) 13:24:22 sigblock (0x7) = 0 13:24:22 wait4 (0, 0xefff9dc, 0, 0) = 6097 13:24:22 sigsetmask (0) = 0x7 13:24:22 lseek (1, 0, 0) = 0 13:24:22 lseek (1, 0, 0) = 0 13:24:22 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823 13:24:22 read (1, "", 8192) = 0 13:24:22 setitimer (0, 0xefffc9c, 0xefffc8c) = 0 13:24:22 sigvec (14, 0xefffc50, 0xefffc74) = 0 13:24:22 sigblock (0x2000) = 0 13:24:22 setitimer (0, 0xefffc9c, 0) = 0 13:24:22 sigpause (0) = -1 EINTR (Interrupted system call) 13:26:23 - SIGALRM (14) 13:26:23 sigcleanup () = 0 13:26:23 sigvec (14, 0xefffc50, 0) = 0 13:26:23 sigsetmask (0) = 0x2000 13:26:23 setitimer (0, 0xefffc8c, 0) = 0 13:26:23 gettimeofday (0xefffccc, 0) = 0 13:26:25 setitimer (0, 0xefffc9c, 0xefffc8c) = 0 13:26:25 sigvec (14, 0xefffc50, 0xefffc74) = 0 13:26:25 sigblock (0x2000) = 0 13:26:25 setitimer (0, 0xefffc9c, 0) = 0 13:26:25 sigpause (0) = -1 EINTR (Interrupted system call) 13:26:55 - SIGALRM (14) 13:26:55 sigcleanup () = 0 13:26:55 sigvec (14, 0xefffc50, 0) = 0 13:26:55 sigsetmask (0) = 0x2000 13:26:55 setitimer (0, 0xefffc8c, 0) = 0 13:26:55 fork () = 6103 13:26:55 close (0) = 0 13:26:55 close (1) = 0 13:26:55 close (2) = 0 13:26:55 close (1) = -1 EBADF (Bad file number) 13:26:56 exit (0) = ? -- * Isaac J. Salzman ---- * The RAND Corporation - Information Sciences Dept. /o o/ / * 1700 Main St., PO Box 2138, Santa Monica, CA 90406-2138 | v | | * AT&T: +1 213-393-0411 x6421 or x7923 (ISL lab) _| |_/ * ARPA: salzman@RAND.ORG or salzman@rand-unix.ARPA / | | * UUCP: ...!{cbosgd,decvax,sdcrdcf}!randvax!salzman | | |