Thanks edge for your suggestion.
In my log i've found:
Checking for hidden processes [ Warning ]
Warning: Hidden processes found: 30562
but maybe could be a false positive as stated in
http://ubuntuforums.org/showthread.php?t=796192 infact i cannot cd in /proc/pid and if i execute rkhunter --check now no hidden process is reported.
I've built the following script to test unhide (used by rkhunter to discovery hidden processes):
Code:
ps -ef > processes.txt
unhide brute | grep 'Found HIDDEN PID' | while read line
do
#echo $line
pid=`echo $line | awk '{ print $4 }'`
echo
echo Hidden PID: [$pid];
echo Testing dir "/proc/$pid"
if [ -d "/proc/$pid" ]; then
cat /proc/$pid/cmdline
else
echo "... Not Found (good)"
fi
echo Testing processes list
pcregrep "\\w\\s+$pid" processes.txt
done
an this is a sample result:
Code:
Hidden PID: [20248]
Testing dir /proc/20248
... Not Found (good)
Testing processes list
postfix 20248 23453 0 10:30 ? 00:00:00 showq -t unix -u -c
sometime the "hidden" process cannot be identified... but all seem to confirm the theory of false positive.
I'd like to avoid it!