[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hidden processes....or not....using unhide package



On 13/04/2008, Tzafrir Cohen <tzafrir@cohens.org.il> wrote:
On Sun, Apr 13, 2008 at 12:35:28AM +0100, Robin wrote:
> Discovered multiple short term, 5-10 secs, hidden processes appearing on my
> system - Linux localhost 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008
> x86_64 GNU/Linux. Checked logs. Checked PC with top, htop, ps and then
> system rkhunter and chkrootkit . Also tried rkhunter and chkrootkit from a
> livecd. In all checks no problems found. Intermittently these processes
> stop.


If they are hidden, how do you see them?

What exactly is the command you run? What is the output?

--
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
ICQ# 16849754         |                    | friend




Noticed that cpu running at 15% with no user applications running. Checked top which reported nothing running at that level. Ran:

unhide proc :- Which gives intermittent hidden processes

unhide sys  :-  [*]Searching for Hidden processes through getsid() scanning
                                Found HIDDEN PID: 16356
                          
                           [*]Searching for Hidden processes through sched_getscheduler() scanning
                                Found HIDDEN PID: 17408

unhide brute :-[*]Starting scanning using brute force against PIDS
                                Found HIDDEN PID: 2216
                                Found HIDDEN PID: 2503

Thanks

--
rob


http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1
Reply to: