Prev Previous Post   Next Post Next
Old 24th April 2009, 11:36
airton airton is offline
Junior Member
Join Date: Jan 2009
Posts: 7
Thanks: 0
Thanked 10 Times in 4 Posts

Thanks edge for your suggestion.
In my log i've found:

Checking for hidden processes [ Warning ]
Warning: Hidden processes found: 30562

but maybe could be a false positive as stated in infact i cannot cd in /proc/pid and if i execute rkhunter --check now no hidden process is reported.

I've built the following script to test unhide (used by rkhunter to discovery hidden processes):

ps -ef > processes.txt
unhide brute | grep 'Found HIDDEN PID' | while read line
	#echo $line
	pid=`echo $line | awk '{ print $4 }'`
	echo Hidden PID: [$pid];
	echo Testing dir "/proc/$pid"
	if [ -d "/proc/$pid" ]; then
		cat /proc/$pid/cmdline
		echo "... Not Found (good)"
	echo Testing processes list
	pcregrep "\\w\\s+$pid" processes.txt
an this is a sample result:

Hidden PID: [20248]
Testing dir /proc/20248
... Not Found (good)
Testing processes list
postfix  20248 23453  0 10:30 ?        00:00:00 showq -t unix -u -c
sometime the "hidden" process cannot be identified... but all seem to confirm the theory of false positive.
I'd like to avoid it!
Reply With Quote
Sponsored Links


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Installation Order? ISPConfig3 Jailkit Backup PC Snort/Ossec/Prelude RKHunter RolluS Installation/Configuration 6 23rd January 2009 23:55
rkhunter Found differences in user groups... stefan Installation/Configuration 2 13th June 2007 00:13
Trouble with Mail Server Jcorrea920 General 5 21st February 2006 21:42

All times are GMT +2. The time now is 23:17.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.