Thread: rkhunter
View Single Post
  #11  
Old 24th April 2009, 11:36
airton airton is offline
Junior Member
 
Join Date: Jan 2009
Posts: 7
Thanks: 0
Thanked 10 Times in 4 Posts
Default

Thanks edge for your suggestion.
In my log i've found:

Checking for hidden processes [ Warning ]
Warning: Hidden processes found: 30562

but maybe could be a false positive as stated in
http://ubuntuforums.org/showthread.php?t=796192 infact i cannot cd in /proc/pid and if i execute rkhunter --check now no hidden process is reported.

I've built the following script to test unhide (used by rkhunter to discovery hidden processes):

Code:
ps -ef > processes.txt
unhide brute | grep 'Found HIDDEN PID' | while read line
do
	#echo $line
	pid=`echo $line | awk '{ print $4 }'`
	echo
	echo Hidden PID: [$pid];
	
	echo Testing dir "/proc/$pid"
	if [ -d "/proc/$pid" ]; then
		cat /proc/$pid/cmdline
	else
		echo "... Not Found (good)"
	fi
	
	echo Testing processes list
	pcregrep "\\w\\s+$pid" processes.txt
done
an this is a sample result:

Code:
Hidden PID: [20248]
Testing dir /proc/20248
... Not Found (good)
Testing processes list
postfix  20248 23453  0 10:30 ?        00:00:00 showq -t unix -u -c
sometime the "hidden" process cannot be identified... but all seem to confirm the theory of false positive.
I'd like to avoid it!
Reply With Quote
Sponsored Links