strange unhide-linux26 output
Hello list!
I'm suspicious about one of my debian lenny machines. rkhunter scan
output several file sha1 hash mismatches (and only that), and there
also was some strange behaviour (lost python modules), so my paranoia
fired up few hours ago.
Now i resolved rkhunter output (there was updates), and also resolved
python problem (long day, my personal user error), but one question
still begging me. when i use `unhide proc` or `unhide sys` it outputs
some PIDs, different every time, even in single mode! unhide-tcp shows
no unusial network ports, full nmap scan from another clean machine
and also tcpdumping all packets from switch confirms that everything
is ok. Chkrootkit check also found nothing unusual. But whats up with
unhide?
`Uhide brute` shows _no_ PIDs though.
Debian version is Lenny
Unhide version is 20071102-2
System is dual core (maybe there's a clue?)
Kernel version is 2.6.24.2, (vm disabled ;-)
Everything is up to date.
May this PIDs be just pieces of unhide itself? Is it normal? On my other
PIDs are ranging from 30000+, ie looks like normal numbers for newly
started processes now.
I'll provide any additional info if needed.
Also, is there some way to check md5/sha1 hashes for all files in
installed packages? I can craft a script, but haven't found list of
individual file sums on official debian servers (only sums of
packages).
regards,
if
Reply to: