Re: Hidden processes....or not....using unhide package

[Robin <rc.rattusrattus@googlemail.com>]

On 13/04/2008, NN_il_Confusionario <pinkof.pallus@tiscalinet.it> wrote:

On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:
> unhide proc :- Which gives intermittent hidden processes
> unhide sys  :-  [*]Searching for Hidden processes through getsid() scanning
>                                 Found HIDDEN PID: 16356
>                 [*]Searching for Hidden processes through sched_getscheduler() scanning
>                                 Found HIDDEN PID: 17408
> unhide brute :-[*]Starting scanning using brute force against PIDS
>                                 Found HIDDEN PID: 2216
>                                 Found HIDDEN PID: 2503


You could also try
netatst -anp|less
unhide-tcp

If someone hacked the box, probably a net process was used to enter and
new net processes are spanned.

Moreover:

  apt-cache search forensic

   Linkname: Securing Debian Manual
        URL: http://www.debian.org/doc/user-manuals#securing

might give further ideas

 

Thanks I'll investigate.
-- 
rob


http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1