On Sun, Apr 13, 2008 at 05:31:53PM +0100, Robin wrote:
> On 13/04/2008, NN_il_Confusionario <pinkof.pallus@tiscalinet.it> wrote:
> >
> > On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:
> > > unhide proc :- Which gives intermittent hidden processes
> > > unhide sys :- [*]Searching for Hidden processes through getsid()
> > scanning
> > > Found HIDDEN PID: 16356
> > > [*]Searching for Hidden processes through
> > sched_getscheduler() scanning
> > > Found HIDDEN PID: 17408
> > > unhide brute :-[*]Starting scanning using brute force against PIDS
> > > Found HIDDEN PID: 2216
> > > Found HIDDEN PID: 2503
> >
> >
> > You could also try
> > netatst -anp|less
> > unhide-tcp
> >
> > If someone hacked the box, probably a net process was used to enter and
> > new net processes are spanned.
> >
> > Moreover:
> >
> > apt-cache search forensic
> >
> > Linkname: Securing Debian Manual
> > URL: http://www.debian.org/doc/user-manuals#securing
> >
> > might give further ideas
I downloaded this and installed it, just to try (unhide) and it found
lots of hidden processes through unhide sys.
different pids each time. so i ran this
>/tmp/thelist; for x in $(seq 1 2000); do echo 1 >/dev/null & echo $! >> /tmp/thelist ; done
out of curiosity, it did not miss a pid, which makes me think unhide
raises a lot of false positives ?
>
>
>
>
> Thanks I'll investigate.
> --
> rob
>
>
> http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1
--
18th Rule of Friendship:
A friend will let you hold the ladder while he goes up on the roof
to install your new aerial, which is the biggest son-of-a-bitch you
ever saw.
-- Esquire, May 1977
Attachment:
signature.asc
Description: Digital signature