Martin Steigerwald grabbed a keyboard and wrote: > Hi David, > > Am Sonntag, 4. August 2013, 09:25:18 schrieb David Guntner: >> And the saga continues! :-) >> >> In this morning's reports, I found the following notation from rkhunter: >>> Warning: Hidden processes found: >>> HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = > 521 >> >> Is this anything I need to be worried about? And how do I go about >> finding the "hidden" process? Is this a false positive that I should be >> sticking something into the rkhunter.conf file to get it to ignore? > > You could try unhide or unhide.rb to find out more.
Running the same unhide command as what showed up in the detailed report (below) resulted in the following: > # unhide sys > Unhide 20110113 > http://www.unhide-forensics.info > [*]Searching for Hidden processes through getpriority() scanning > > [*]Searching for Hidden processes through getpgid() scanning > > [*]Searching for Hidden processes through getsid() scanning > > [*]Searching for Hidden processes through sched_getaffinity() scanning > > [*]Searching for Hidden processes through sched_getparam() scanning > > [*]Searching for Hidden processes through sched_getscheduler() scanning > > [*]Searching for Hidden processes through sched_rr_get_interval() scanning > > [*]Searching for Hidden processes through kill(..,0) scanning > > [*]Searching for Hidden processes through comparison of results of system > calls > > [*]Searching for Hidden processes through sysinfo() scanning > > HIDDEN Processes Found: 1 sysinfo.procs = 644 ps_count = 646 Which, to my eye, really doesn't tell me anything useful.... > And I´d look at the detailed report of rkhunter as well. > > And I agree it may well be a false positive. I'm fairly certain it's a false positive as well, given that the system *just* got an upgrade, which would pretty much overwrite everything... But I *am* curious as to what the process is, and how to tell rkhunter to ignore that particular thing, if possible. > I have rkhunter on my server and it doesn´t report hidden processes, that > what > much does that say? Here's what's in the actual report. Still doesn't tell me much.... :-) > [07:56:24] Info: Starting test name 'hidden_procs' > [07:56:24] Info: Found the 'unhide' command: /usr/sbin/unhide > [07:56:24] Info: Found 'unhide' command version: 20110113 > [07:58:40] Using command 'unhide sys' [ Warning ] > [07:58:40] Info: Unable to find the 'unhide.rb' command > [07:58:40] Checking for hidden processes [ Warning ] > [07:58:40] Warning: Hidden processes found: > [07:58:40] HIDDEN Processes Found: 1 sysinfo.procs = 519 > ps_count = 521 --Dave
smime.p7s
Description: S/MIME Cryptographic Signature
