Re: Wheezy rkhunter hidden process found

To: Linux Debian Mailing List <debian-user@lists.debian.org>
Subject: Re: Wheezy rkhunter hidden process found
From: David Guntner <david@guntner.com>
Date: Sun, 04 Aug 2013 12:40:24 -0700
Message-id: <[🔎] 51FEAE28.9010606@guntner.com>
In-reply-to: <[🔎] 1856674.YfNII4OZkS@merkaba>
References: <[🔎] 51FE806E.8010302@guntner.com> <[🔎] 1856674.YfNII4OZkS@merkaba>

Martin Steigerwald grabbed a keyboard and wrote:
> Hi David,
> 
> Am Sonntag, 4. August 2013, 09:25:18 schrieb David Guntner:
>> And the saga continues! :-)
>>
>> In this morning's reports, I found the following notation from rkhunter:
>>> Warning: Hidden processes found:
>>>          HIDDEN Processes Found: 1	sysinfo.procs = 519   ps_count = 
> 521
>>
>> Is this anything I need to be worried about?  And how do I go about
>> finding the "hidden" process?  Is this a false positive that I should be
>> sticking something into the rkhunter.conf file to get it to ignore?
> 
> You could try unhide or unhide.rb to find out more.

Running the same unhide command as what showed up in the detailed report
(below) resulted in the following:

> # unhide sys
> Unhide 20110113
> http://www.unhide-forensics.info
> [*]Searching for Hidden processes through getpriority() scanning
> 
> [*]Searching for Hidden processes through getpgid() scanning
> 
> [*]Searching for Hidden processes through getsid() scanning
> 
> [*]Searching for Hidden processes through sched_getaffinity() scanning
> 
> [*]Searching for Hidden processes through sched_getparam() scanning
> 
> [*]Searching for Hidden processes through sched_getscheduler() scanning
> 
> [*]Searching for Hidden processes through sched_rr_get_interval() scanning
> 
> [*]Searching for Hidden processes through kill(..,0) scanning
> 
> [*]Searching for Hidden processes through  comparison of results of system calls
> 
> [*]Searching for Hidden processes through sysinfo() scanning
> 
> HIDDEN Processes Found: 1       sysinfo.procs = 644   ps_count = 646

Which, to my eye, really doesn't tell me anything useful....

> And I´d look at the detailed report of rkhunter as well.
> 
> And I agree it may well be a false positive.

I'm fairly certain it's a false positive as well, given that the system
*just* got an upgrade, which would pretty much overwrite everything...

But I *am* curious as to what the process is, and how to tell rkhunter
to ignore that particular thing, if possible.

> I have rkhunter on my server and it doesn´t report hidden processes, that what 
> much does that say?

Here's what's in the actual report.  Still doesn't tell me much.... :-)

> [07:56:24] Info: Starting test name 'hidden_procs'
> [07:56:24] Info: Found the 'unhide' command: /usr/sbin/unhide
> [07:56:24] Info: Found 'unhide' command version: 20110113
> [07:58:40]     Using command 'unhide sys'                    [ Warning ]
> [07:58:40] Info: Unable to find the 'unhide.rb' command
> [07:58:40]   Checking for hidden processes                   [ Warning ]
> [07:58:40] Warning: Hidden processes found:
> [07:58:40]          HIDDEN Processes Found: 1   sysinfo.procs = 519   ps_count = 521

               --Dave

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to:

References:
- Wheezy rkhunter hidden process found
  - From: David Guntner <david@guntner.com>
- Re: Wheezy rkhunter hidden process found
  - From: Martin Steigerwald <Martin@lichtvoll.de>

Prev by Date: Re: Icedove no longer allows transfer of emails between folders
Next by Date: Re: Mysterious hangs since upgrading to Wheezy
Previous by thread: Re: Wheezy rkhunter hidden process found
Next by thread: lxde and focus follow mouse... not happening
Index(es):
- Date
- Thread