On Sun, Apr 13, 2008 at 05:31:53PM +0100, Robin wrote: > On 13/04/2008, NN_il_Confusionario <[EMAIL PROTECTED]> wrote: > > > > On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote: > > > unhide proc :- Which gives intermittent hidden processes > > > unhide sys :- [*]Searching for Hidden processes through getsid() > > scanning > > > Found HIDDEN PID: 16356 > > > [*]Searching for Hidden processes through > > sched_getscheduler() scanning > > > Found HIDDEN PID: 17408 > > > unhide brute :-[*]Starting scanning using brute force against PIDS > > > Found HIDDEN PID: 2216 > > > Found HIDDEN PID: 2503 > > > > > > You could also try > > netatst -anp|less > > unhide-tcp > > > > If someone hacked the box, probably a net process was used to enter and > > new net processes are spanned. > > > > Moreover: > > > > apt-cache search forensic > > > > Linkname: Securing Debian Manual > > URL: http://www.debian.org/doc/user-manuals#securing > > > > might give further ideas
I downloaded this and installed it, just to try (unhide) and it found lots of hidden processes through unhide sys. different pids each time. so i ran this >/tmp/thelist; for x in $(seq 1 2000); do echo 1 >/dev/null & echo $! >> >/tmp/thelist ; done out of curiosity, it did not miss a pid, which makes me think unhide raises a lot of false positives ? > > > > > Thanks I'll investigate. > -- > rob > > > http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1 -- 18th Rule of Friendship: A friend will let you hold the ladder while he goes up on the roof to install your new aerial, which is the biggest son-of-a-bitch you ever saw. -- Esquire, May 1977
signature.asc
Description: Digital signature
