On 13/04/2008, Alex Samad <alex@samad.com.au> wrote:
On Sun, Apr 13, 2008 at 05:31:53PM +0100, Robin wrote:
> On 13/04/2008, NN_il_Confusionario <pinkof.pallus@tiscalinet.it> wrote:
> >
> > On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:
> > > unhide proc :- Which gives intermittent hidden processes
> > > unhide sys :- [*]Searching for Hidden processes through getsid()
> > scanning
> > > Found HIDDEN PID: 16356
> > > [*]Searching for Hidden processes through
> > sched_getscheduler() scanning
> > > Found HIDDEN PID: 17408
> > > unhide brute :-[*]Starting scanning using brute force against PIDS
> > > Found HIDDEN PID: 2216
> > > Found HIDDEN PID: 2503
> >
> >
> > You could also try
> > netatst -anp|less
> > unhide-tcp
> >
> > If someone hacked the box, probably a net process was used to enter and
> > new net processes are spanned.
> >
> > Moreover:
> >
> > apt-cache search forensic
> >
> > Linkname: Securing Debian Manual
> > URL: http://www.debian.org/doc/user-manuals#securing
> >
> > might give further ideas
I downloaded this and installed it, just to try (unhide) and it found
lots of hidden processes through unhide sys.
different pids each time. so i ran this
>/tmp/thelist; for x in $(seq 1 2000); do echo 1 >/dev/null & echo $! >> /tmp/thelist ; done
out of curiosity, it did not miss a pid, which makes me think unhide
raises a lot of false positives ?
I'm coming to that conclusion. Netstat showed nothing suspicious.
Thanks to all