Path: utzoo!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!ucbvax!RAND.ORG!salzman
From: salzman@RAND.ORG (Isaac)
Newsgroups: comp.protocols.tcp-ip
Subject: A look inside the Internet VIRUS
Message-ID: <8811042304.AA18450@rand.org>
Date: 4 Nov 88 23:04:43 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Reply-To: salzman@rand.org
Organization: The Internet
Lines: 433


Hi again folks! I've had some mild success at poking inside the virus using
Sun's trace command on a Sun 3/50 running SunOS4.0.  YP had to be shutdown
for this to be usefull and of course all routes were deleted so it couldn't
propagate anywhere outside the machine. This machine had a relatively small
/etc/hosts and /etc/passwd file so it did its thing pretty quickly. To
really see what it's doing the best scenario would be to run it on a network
with a very small number of other machines (and no gateways to other nets!)
to give it a chance to actually connect to something. What I did get was
interesting though it only tells only a partial story.  Keeping up with it
was tricky since it would fork occasionally and exit, so I'd have to start
trace up and attach to that new process pretty quickly to see anything
happen. In this run it didn't look for individual .rhosts files (though it
looked at .forward files). My feeling is that it would look at .rhosts after
it's cracked the password for that person. It's not clear from this where
password cracking would happen either since a lot of that doesn't require
system calls. We have a disassembly of the thing as well and it's got a few
of its own routines to do password cracking (replacements for stuff allready
resident in UNIX). So here are some excerpts from trace with some redunancy
edited out and some comments embedded comments. Enjoy!! 

13:20:35 gettimeofday (0xefffce0, 0) = 0
13:20:36 getpagesize () = 8192
13:20:36 brk (0x29298) = 0
13:20:36 brk (0x2b29c) = 0
13:20:36 setrlimit (4, 0xefffcf4) = 0
13:20:36 sigvec (13, 0xefffcac, 0xefffcd8) = 0
13:20:36 open ("x15053677,vax.o", 0, 06) = 3
13:20:36 fstat (3, 0xefffca4) = 0
13:20:36 brk (0x3729c) = 0
13:20:36 read (3, "".., 45734) = 45734
13:20:37 close (3) = 0
13:20:38 unlink ("x15053677,vax.o") = 0
13:20:38 open ("x15901447,sun3.o", 0, 06) = 3
13:20:38 fstat (3, 0xefffca4) = 0
13:20:38 brk (0x4329c) = 0
13:20:38 read (3, "".., 47165) = 47165
13:20:38 close (3) = 0
13:20:39 unlink ("x15901447,sun3.o") = 0
13:20:39 open ("x11091853,l1.c", 0, 06) = 3
13:20:39 fstat (3, 0xefffca4) = 0
13:20:39 read (3, "#include <stdio.h>\n#include <sys".., 1542) = 1542
13:20:39 close (3) = 0
13:20:39 unlink ("x11091853,l1.c") = 0
13:20:39 close (0) = 0
13:20:39 close (1) = 0
13:20:39 close (2) = 0
13:20:39 close (3) = -1 EBADF (Bad file number)
.
.
13:20:39 close (31) = -1 EBADF (Bad file number)
13:20:39 unlink ("sh") = 0
13:20:40 unlink ("sh") = -1 ENOENT (No such file or directory)
# unlink itself and make sure it was done!
13:20:40 unlink ("/tmp/.dumb") = -1 ENOENT (No such file or directory)
13:20:40 socket (2, 1, 0) = 0
13:20:40 ioctl (0, 0xc0086914, 0xefffce4) = 0
13:20:40 ioctl (0, 0xc0206911, 0xefffb34) = 0
13:20:40 ioctl (0, 0xc020690d, 0xefffb34) = 0
13:20:40 ioctl (0, 0xc0206919, 0xefffb34) = 0
13:20:40 ioctl (0, 0xc0206911, 0xefffb34) = 0
13:20:40 ioctl (0, 0xc020690d, 0xefffb34) = 0
13:20:40 getpid () = 6077
13:20:40 getpgrp (6077) = 6076
13:20:40 kill (70, 9) = -1 EPERM (Not owner)
# kill its parent process (i gave it a pid it couldn't kill)
13:20:40 gettimeofday (0xefffccc, 0) = 0
13:20:40 getdtablesize () = 64
13:20:40 pipe (0xefffccc) = 1
13:20:40 vfork () = 6079
13:20:40 close (2) = 0
13:20:40 getdtablesize () = 64
13:20:40 ioctl (1, 0x40125401, 0xefffae4) = -1 EOPNOTSUPP (Operation not supported on socket)
13:20:40 fstat (1, 0xefffb10) = 0
13:20:41 read (1, "Routing tables\nDestination      ".., 4096) = 167
# this is output from "netstat -r"
13:20:44 read (1, "", 4096) = 0
13:20:44 - SIGCHLD (20)
13:20:44 close (1) = 0
13:20:44 sigblock (0x7) = 0
13:20:44 wait4 (0, 0xefffb78, 0, 0) = 6079
13:20:44 sigsetmask (0) = 0x7
13:20:44 open ("/etc/hosts", 0, 0666) = 1
13:20:44 lseek (1, 0, 0) = 0
13:20:44 getdomainname ("".., 256) = 0
13:20:44 getpid () = 6077
13:20:44 open ("/var/yp/binding/isltest.rand.org".., 0, 0) = 2
13:20:44 flock (2, 06) = 0
13:20:44 close (2) = 0
13:20:44 socket (2, 1, 0) = 2
13:20:45 connect (2, "".., 16) = 0
13:20:45 close (2) = 0
13:20:45 gettimeofday (0xefff9f4, 0) = 0
13:20:45 getpid () = 6077
13:20:45 socket (2, 2, 17) = 2
13:20:45 getpid () = 6077
13:20:45 bind (2, "".., 16) = -1 EACCES (Permission denied)
13:20:45 ioctl (2, 0x8004667e, 0xefff9c0) = 0
13:20:45 sendto (2, "".., 56, 0, 0x42a84, 16) = 56
13:20:45 getdtablesize () = 64
13:20:45 select (64, 0xefff9dc, 0, 0, 0x42a98) = 1
13:20:45 recvfrom (2, "".., 400, 0, 0xefff9ac, 0xefff9fc) = 28
13:20:45 close (2) = 0
13:20:45 close (2) = -1 EBADF (Bad file number)
13:20:45 socket (2, 2, 0) = 2
13:20:45 bind (2, "".., 16) = 0
13:20:45 close (2) = 0
13:20:45 ioctl (1, 0x40125401, 0xefffaa0) = -1 ENOTTY (Inappropriate ioctl for device)
13:20:45 fstat (1, 0xefffacc) = 0
13:20:45 brk (0x4729c) = 0
13:20:45 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:45 read (1, "", 8192) = 0
13:20:45 pipe (0x1) = 2
13:20:45 vfork () = 6081
13:20:45 close (3) = 0
13:20:45 ioctl (2, 0x40125401, 0xefff948) = -1 EOPNOTSUPP (Operation not supported on socket)
13:20:46 fstat (2, 0xefff974) = 0
13:20:46 read (2, "Routing tables\nDestination      ".., 4096) = 167
13:20:47 read (2, "", 4096) = 0
13:20:47 close (2) = 0
13:20:48 - SIGCHLD (20)
13:20:48 sigblock (0x7) = 0
13:20:48 wait4 (0, 0xefff9dc, 0, 0) = 6081
13:20:48 sigsetmask (0) = 0x7
13:20:48 lseek (1, 0, 0) = 0
13:20:48 lseek (1, 0, 0) = 0
13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:48 read (1, "", 8192) = 0
13:20:48 open ("/etc/hosts.equiv", 0, 0666) = 2
13:20:48 close (2) = 0
13:20:48 open ("/.rhosts", 0, 0666) = 2
13:20:48 ioctl (2, 0x40125401, 0xefff808) = -1 ENOTTY (Inappropriate ioctl for device)
13:20:48 fstat (2, 0xefff834) = 0
13:20:48 read (2, "owl\nrand-unix.arpa\n", 8192) = 19
13:20:48 lseek (1, 0, 0) = 0
13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:48 lseek (1, 0, 0) = 0
13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:48 lseek (1, 0, 0) = 0
13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:48 lseek (1, 0, 0) = 0
13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:48 lseek (1, 0, 0) = 0
13:20:48 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:48 read (2, "", 8192) = 0
13:20:48 close (2) = 0
13:20:48 open ("/etc/passwd", 0, 0666) = 2
13:20:49 ioctl (2, 0x40125401, 0xefff3e8) = -1 ENOTTY (Inappropriate ioctl for device)
13:20:49 fstat (2, 0xefff414) = 0
13:20:49 read (2, "root:***sorry***:0:1:Operator:".., 8192) = 714
13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("/bin/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("/var/spool/uucppublic/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("/u/oper/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("/var/spool/news/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("/usr/ingres/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:49 open ("//.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:50 open ("/usr/diag/sysdiag/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:50 open ("/home/terry/.forward", 0, 0666) = 3
13:20:50 ioctl (3, 0x40125401, 0xefff808) = -1 ENOTTY (Inappropriate ioctl for device)
13:20:50 fstat (3, 0xefff834) = 0
13:20:50 brk (0x4b29c) = 0
13:20:50 read (3, "terry@zoo\n", 8192) = 10
13:20:50 lseek (1, 0, 0) = 0
13:20:50 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:50 read (3, "", 8192) = 0
13:20:50 close (3) = 0
13:20:50 open ("/home/guyton/.forward", 0, 0666) = 3
13:20:50 ioctl (3, 0x40125401, 0xefff808) = -1 ENOTTY (Inappropriate ioctl for device)
13:20:50 fstat (3, 0xefff834) = 0
13:20:50 read (3, "guyton@condor\n", 8192) = 14
13:20:50 lseek (1, 0, 0) = 0
13:20:50 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:20:50 read (3, "", 8192) = 0
13:20:50 close (3) = 0
13:20:50 open ("/home/salzman/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:51 open ("/home/edhall/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:51 open ("/home/jim/.forward", 0, 0666) = -1 ENOENT (No such file or directory)
13:20:51 getpid () = 6077
13:20:51 open ("/var/yp/binding/isltest.rand.org".., 0, 0) = 3
13:20:51 flock (3, 06) = 0
13:20:51 close (3) = 0
13:20:51 socket (2, 1, 0) = 3
13:20:51 connect (3, "".., 16) = 0
13:20:51 close (3) = 0
13:20:51 gettimeofday (0xefff374, 0) = 0
13:20:51 getpid () = 6077
13:20:51 socket (2, 2, 17) = 3
13:20:51 bind (3, "".., 16) = -1 EACCES (Permission denied)
13:20:51 ioctl (3, 0x8004667e, 0xefff340) = 0
13:20:51 sendto (3, "".., 56, 0, 0x27aa8, 16) = 56
13:20:51 select (64, 0xefff35c, 0, 0, 0x27abc) = 1
13:20:51 recvfrom (3, "".., 400, 0, 0xefff32c, 0xefff37c) = 28
13:20:51 close (3) = 0
13:20:51 close (3) = -1 EBADF (Bad file number)
13:20:51 socket (2, 2, 0) = 3
13:20:51 bind (3, "".., 16) = 0
13:20:51 close (3) = 0
13:20:51 read (2, "", 8192) = 0
13:20:51 close (2) = 0
13:20:51 setitimer (0, 0xefffc9c, 0xefffc8c) = 0
13:20:51 sigvec (14, 0xefffc50, 0xefffc74) = 0
13:20:51 sigblock (0x2000) = 0
13:20:51 setitimer (0, 0xefffc9c, 0) = 0
13:20:51 sigpause (0) = -1 EINTR (Interrupted system call)
13:21:21 - SIGALRM (14)
13:21:21 sigcleanup () = 0
13:21:21 sigvec (14, 0xefffc50, 0) = 0
13:21:21 sigsetmask (0) = 0x2000
13:21:22 setitimer (0, 0xefffc8c, 0) = 0
13:21:23 fork () = 6083
13:21:23 close (0) = 0
13:21:23 close (1) = 0
13:21:23 close (2) = -1 EBADF (Bad file number)
13:21:23 close (1) = -1 EBADF (Bad file number)
13:21:23 exit (0) = ?

# now for the forked process.... 

# I missed a good 6 seconds of stuff here...
# notice the "ENETUNREACH" errno's since I deleted all the routes
# (as our ``friendly'' virus attempts to propagate
13:21:29 sigpause (0) = -1 EINTR (Interrupted system call)
13:21:29 - SIGALRM (14)
13:21:29 sigcleanup () = 0
13:21:30 sigvec (14, 0xefffc1c, 0) = 0
13:21:30 sigsetmask (0) = 0
13:21:30 setitimer (0, 0xefffc58, 0) = 0
13:21:30 wait4 (0, 0, 0x1, 0) = 6086
13:21:30 sigvec (14, 0xefff820, 0xefff84c) = 0
13:21:30 socket (2, 1, 0) = 2
13:21:30 setitimer (0, 0xefff84c, 0xefff83c) = 0
13:21:30 connect (2, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:30 setitimer (0, 0xefff84c, 0xefff83c) = 0
13:21:30 close (2) = 0
13:21:30 socket (2, 1, 0) = 2
13:21:30 connect (2, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:30 close (2) = 0
13:21:30 socket (2, 1, 0) = 2
13:21:30 bind (2, "".., 16) = 0
13:21:30 listen (2, 10) = 0
13:21:30 sigvec (14, 0xefffa30, 0xefffa5c) = 0
13:21:30 socket (2, 1, 0) = 3
13:21:30 setitimer (0, 0xefffa5c, 0xefffa4c) = 0
13:21:30 connect (3, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:30 setitimer (0, 0xefffa5c, 0xefffa4c) = 0
13:21:30 close (3) = 0
13:21:30 setitimer (0, 0xefffc78, 0xefffc68) = 0
13:21:30 sigvec (14, 0xefffc2c, 0xefffc50) = 0
13:21:30 sigblock (0x2000) = 0
13:21:30 setitimer (0, 0xefffc78, 0) = 0
13:21:30 sigpause (0) = -1 EINTR (Interrupted system call)
13:21:31 - SIGALRM (14)
13:21:31 sigcleanup () = 0
13:21:31 sigvec (14, 0xefffc2c, 0) = 0
13:21:31 sigsetmask (0) = 0x2000
13:21:31 setitimer (0, 0xefffc68, 0) = 0
13:21:31 pipe (0) = 3
13:21:31 pipe (0) = 5
13:21:31 fork () = 6088
13:21:31 close (3) = 0
13:21:31 close (6) = 0
13:21:31 write (4, "\n/bin/echo 6480629\n", 19) = 19
13:21:31 select (6, 0xefff96c, 0, 0, 0xefff964) = 1
13:21:32 read (5, "", 1) = 0
13:21:32 close (5) = 0
13:21:32 close (4) = 0
13:21:32 kill (6088, 9) = 0
13:21:32 setitimer (0, 0xefffc68, 0xefffc58) = 0
13:21:32 - SIGCHLD (20)
13:21:32 sigvec (14, 0xefffc1c, 0xefffc40) = 0
13:21:32 sigblock (0x2000) = 0
13:21:32 setitimer (0, 0xefffc68, 0) = 0
13:21:32 sigpause (0) = -1 EINTR (Interrupted system call)
13:21:33 - SIGALRM (14)
13:21:33 sigcleanup () = 0
13:21:33 sigvec (14, 0xefffc1c, 0) = 0
13:21:33 sigsetmask (0) = 0x2000
13:21:33 setitimer (0, 0xefffc58, 0) = 0
13:21:33 wait4 (0, 0, 0x1, 0) = 6088
13:21:33 sigvec (14, 0xefff820, 0xefff84c) = 0
13:21:33 socket (2, 1, 0) = 3
13:21:33 setitimer (0, 0xefff84c, 0xefff83c) = 0
13:21:33 connect (3, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:33 setitimer (0, 0xefff84c, 0xefff83c) = 0
13:21:33 close (3) = 0
13:21:33 socket (2, 1, 0) = 3
13:21:33 connect (3, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:33 close (3) = 0
13:21:33 socket (2, 1, 0) = 3
13:21:33 bind (3, "".., 16) = 0
13:21:33 listen (3, 10) = 0
13:21:33 sigvec (14, 0xefffa30, 0xefffa5c) = 0
13:21:33 socket (2, 1, 0) = 4
13:21:33 setitimer (0, 0xefffa5c, 0xefffa4c) = 0
13:21:33 connect (4, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:33 setitimer (0, 0xefffa5c, 0xefffa4c) = 0
13:21:33 close (4) = 0
13:21:33 setitimer (0, 0xefffc78, 0xefffc68) = 0
13:21:33 sigvec (14, 0xefffc2c, 0xefffc50) = 0
13:21:33 sigblock (0x2000) = 0
13:21:33 setitimer (0, 0xefffc78, 0) = 0
13:21:33 sigpause (0) = -1 EINTR (Interrupted system call)
13:21:34 - SIGALRM (14)
13:21:34 sigcleanup () = 0
13:21:34 sigvec (14, 0xefffc2c, 0) = 0
13:21:34 sigsetmask (0) = 0x2000
13:21:34 setitimer (0, 0xefffc68, 0) = 0
13:21:34 pipe (0) = 4
13:21:34 pipe (0) = 6
13:21:34 fork () = 6089
13:21:34 close (4) = 0
13:21:34 close (7) = 0
13:21:34 write (5, "\n/bin/echo 6541524\n", 19) = 19
13:21:34 select (7, 0xefff96c, 0, 0, 0xefff964) = 1
13:21:35 read (6, "", 1) = 0
13:21:35 close (6) = 0
13:21:35 close (5) = 0
13:21:35 - SIGCHLD (20)
13:21:35 kill (6089, 9) = -1 ESRCH (No such process)
13:21:35 setitimer (0, 0xefffc68, 0xefffc58) = 0
13:21:35 sigvec (14, 0xefffc1c, 0xefffc40) = 0
13:21:35 sigblock (0x2000) = 0
13:21:35 setitimer (0, 0xefffc68, 0) = 0
13:21:35 sigpause (0) = -1 EINTR (Interrupted system call)
13:21:36 - SIGALRM (14)
13:21:36 sigcleanup () = 0
13:21:36 sigvec (14, 0xefffc1c, 0) = 0
13:21:36 sigsetmask (0) = 0x2000
13:21:36 setitimer (0, 0xefffc58, 0) = 0
13:21:36 wait4 (0, 0, 0x1, 0) = 6089
13:21:36 sigvec (14, 0xefff820, 0xefff84c) = 0
13:21:36 socket (2, 1, 0) = 4
13:21:36 setitimer (0, 0xefff84c, 0xefff83c) = 0
13:21:36 connect (4, "".., 16) = -1 ENETUNREACH (Network is unreachable)
13:21:40 setitimer (0, 0xefffa5c, 0xefffa4c) = 0
13:21:40 close (6) = 0
13:21:40 pipe (0x6) = 6
13:21:40 vfork () = 6092
13:21:40 close (7) = 0
13:21:40 ioctl (6, 0x40125401, 0xefff948) = -1 EOPNOTSUPP (Operation not supported on socket)
13:21:40 fstat (6, 0xefff974) = 0
13:21:41 read (6, "Routing tables\nDestination      ".., 4096) = 167
13:21:44 read (6, "", 4096) = 0
13:21:44 - SIGCHLD (20)
13:21:44 close (6) = 0
13:21:44 sigblock (0x7) = 0
13:21:44 wait4 (0, 0xefff9dc, 0, 0) = 6092
13:21:44 sigsetmask (0) = 0x7
13:21:44 lseek (1, 0, 0) = 0
13:21:44 lseek (1, 0, 0) = 0
13:21:44 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:21:45 read (1, "", 8192) = 0
13:21:45 setitimer (0, 0xefffc9c, 0xefffc8c) = 0
13:21:45 sigvec (14, 0xefffc50, 0xefffc74) = 0
13:21:45 sigblock (0x2000) = 0
13:21:45 setitimer (0, 0xefffc9c, 0) = 0
13:21:45 sigpause (0) = -1 EINTR (Interrupted system call)
13:23:45 - SIGALRM (14)
13:23:45 sigcleanup () = 0
13:23:45 sigvec (14, 0xefffc50, 0) = 0
13:23:45 sigsetmask (0) = 0x2000
13:23:45 setitimer (0, 0xefffc8c, 0) = 0
13:23:45 gettimeofday (0xefffccc, 0) = 0
13:23:46 setitimer (0, 0xefffc9c, 0xefffc8c) = 0
13:23:46 sigvec (14, 0xefffc50, 0xefffc74) = 0
13:23:46 sigblock (0x2000) = 0
13:23:46 setitimer (0, 0xefffc9c, 0) = 0
13:23:46 sigpause (0) = -1 EINTR (Interrupted system call)
13:24:16 - SIGALRM (14)
13:24:16 sigcleanup () = 0
13:24:16 sigvec (14, 0xefffc50, 0) = 0
13:24:16 sigsetmask (0) = 0x2000
13:24:16 setitimer (0, 0xefffc8c, 0) = 0
13:24:17 fork () = 6094
13:24:17 close (0) = 0
13:24:17 close (1) = 0
13:24:17 close (2) = 0
13:24:17 close (1) = -1 EBADF (Bad file number)
13:24:17 exit (0) = ?

# and another - there are a couple more that look like this but
# it was getting boring since it had no where to go....

13:24:21 read (6, "Routing tables\nDestination      ".., 4096) = 167
13:24:22 read (6, "", 4096) = 0
13:24:22 close (6) = 0
13:24:22 - SIGCHLD (20)
13:24:22 sigblock (0x7) = 0
13:24:22 wait4 (0, 0xefff9dc, 0, 0) = 6097
13:24:22 sigsetmask (0) = 0x7
13:24:22 lseek (1, 0, 0) = 0
13:24:22 lseek (1, 0, 0) = 0
13:24:22 read (1, "127.0.0.1 localhost loghost\n192.".., 8192) = 3823
13:24:22 read (1, "", 8192) = 0
13:24:22 setitimer (0, 0xefffc9c, 0xefffc8c) = 0
13:24:22 sigvec (14, 0xefffc50, 0xefffc74) = 0
13:24:22 sigblock (0x2000) = 0
13:24:22 setitimer (0, 0xefffc9c, 0) = 0
13:24:22 sigpause (0) = -1 EINTR (Interrupted system call)
13:26:23 - SIGALRM (14)
13:26:23 sigcleanup () = 0
13:26:23 sigvec (14, 0xefffc50, 0) = 0
13:26:23 sigsetmask (0) = 0x2000
13:26:23 setitimer (0, 0xefffc8c, 0) = 0
13:26:23 gettimeofday (0xefffccc, 0) = 0
13:26:25 setitimer (0, 0xefffc9c, 0xefffc8c) = 0
13:26:25 sigvec (14, 0xefffc50, 0xefffc74) = 0
13:26:25 sigblock (0x2000) = 0
13:26:25 setitimer (0, 0xefffc9c, 0) = 0
13:26:25 sigpause (0) = -1 EINTR (Interrupted system call)
13:26:55 - SIGALRM (14)
13:26:55 sigcleanup () = 0
13:26:55 sigvec (14, 0xefffc50, 0) = 0
13:26:55 sigsetmask (0) = 0x2000
13:26:55 setitimer (0, 0xefffc8c, 0) = 0
13:26:55 fork () = 6103
13:26:55 close (0) = 0
13:26:55 close (1) = 0
13:26:55 close (2) = 0
13:26:55 close (1) = -1 EBADF (Bad file number)
13:26:56 exit (0) = ?

--
* Isaac J. Salzman                                            ----     
* The RAND Corporation - Information Sciences Dept.          /o o/  /  
* 1700 Main St., PO Box 2138, Santa Monica, CA 90406-2138    | v |  |  
* AT&T: +1 213-393-0411 x6421 or x7923 (ISL lab)            _|   |_/   
* ARPA: salzman@RAND.ORG or salzman@rand-unix.ARPA         / |   |
* UUCP: ...!{cbosgd,decvax,sdcrdcf}!randvax!salzman        | |   |