Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   What is the hidden process? (http://www.linux-archive.org/debian-user/511492-what-hidden-process.html)

James Brown 04-08-2011 02:50 AM

What is the hidden process?
 
`unhide` define that there is a hidden process in my system, but don't
indicate it concretely:
> ~$ sudo unhide sys
> Unhide 20100201
> http://www.security-projects.com/?Unhide
>
>
>[*]Searching for Hidden processes through kill(..,0) scanning
>
>[*]Searching for Hidden processes through comparison of results of system calls
>
>[*]Searching for Hidden processes through getpriority() scanning
>
>[*]Searching for Hidden processes through getpgid() scanning
>
>[*]Searching for Hidden processes through getsid() scanning
>
>[*]Searching for Hidden processes through sched_getaffinity() scanning
>
>[*]Searching for Hidden processes through sched_getparam() scanning
>
>[*]Searching for Hidden processes through sched_getscheduler() scanning
>
>[*]Searching for Hidden processes through sched_rr_get_interval() scanning
>
>[*]Searching for Hidden processes through sysinfo() scanning
>
> HIDDEN Processes Found: 1


How can I find out what is that process?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D9E7800.3070504@gmail.com">http://lists.debian.org/4D9E7800.3070504@gmail.com

green 04-08-2011 03:20 AM

What is the hidden process?
 
James Brown wrote at 2011-04-07 21:50 -0500:
> `unhide` define that there is a hidden process in my system, but don't
> indicate it concretely:

> HIDDEN Processes Found: 1

Hmm, interesting. Same result here with sys method, buth nothing is detected
using the proc and brute methods.

Ron Johnson 04-08-2011 03:20 AM

What is the hidden process?
 
On 04/07/2011 09:50 PM, James Brown wrote:

`unhide` define that there is a hidden process in my system, but don't
indicate it concretely:

~$ sudo unhide sys
Unhide 20100201
http://www.security-projects.com/?Unhide



[snip]

[*]Searching for Hidden processes through sysinfo() scanning

HIDDEN Processes Found: 1



How can I find out what is that process?



The man page (http://www.unhide-forensics.info/unhide-linux26.html)
mentions options like "-f" and "-v".


--
"Neither the wisest constitution nor the wisest laws will secure
the liberty and happiness of a people whose manners are universally
corrupt."
Samuel Adams, essay in The Public Advertiser, 1749


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D9E7F17.5010101@cox.net">http://lists.debian.org/4D9E7F17.5010101@cox.net

James Brown 04-08-2011 04:43 AM

What is the hidden process?
 
On 08.04.2011 03:20, green wrote:
> James Brown wrote at 2011-04-07 21:50 -0500:
>> `unhide` define that there is a hidden process in my system, but don't
>> indicate it concretely:
>
>> HIDDEN Processes Found: 1
>
> Hmm, interesting. Same result here with sys method, buth nothing is detected
> using the proc and brute methods.

Yes, only with sys method. Your system is 'squeeze' too? (I had no such
result under lenny).


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D9E9280.8090208@gmail.com">http://lists.debian.org/4D9E9280.8090208@gmail.com

James Brown 04-08-2011 04:50 AM

What is the hidden process?
 
On 08.04.2011 03:20, Ron Johnson wrote:
> On 04/07/2011 09:50 PM, James Brown wrote:
>> `unhide` define that there is a hidden process in my system, but don't
>> indicate it concretely:
>>> ~$ sudo unhide sys
>>> Unhide 20100201
>>> http://www.security-projects.com/?Unhide
>>>
>>>
> [snip]
>>>
>>>[*]Searching for Hidden processes through sysinfo() scanning
>>>
>>> HIDDEN Processes Found: 1
>>
>>
>> How can I find out what is that process?
>>
>
> The man page (http://www.unhide-forensics.info/unhide-linux26.html)
> mentions options like "-f" and "-v".
>

That options are unworkable under unhide-package from Debian Squeeze:
$sudo unhide -v sys
Unhide 20100201
http://www.security-projects.com/?Unhide


usage: unhide proc | sys | brute

$apt-cache policy unhide
unhide:
Installed: 20100201-1
Candidate: 20100201-1
Version table:
*** 20100201-1 0
990 http://ftp.debian.org/debian/ squeeze/main amd64 Packages
100 /var/lib/dpkg/status



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D9E93FB.1080605@gmail.com">http://lists.debian.org/4D9E93FB.1080605@gmail.com

Ron Johnson 04-08-2011 04:59 AM

What is the hidden process?
 
On 04/07/2011 11:50 PM, James Brown wrote:

On 08.04.2011 03:20, Ron Johnson wrote:

On 04/07/2011 09:50 PM, James Brown wrote:

`unhide` define that there is a hidden process in my system, but don't
indicate it concretely:

~$ sudo unhide sys
Unhide 20100201
http://www.security-projects.com/?Unhide



[snip]

[*]Searching for Hidden processes through sysinfo() scanning

HIDDEN Processes Found: 1



How can I find out what is that process?



The man page (http://www.unhide-forensics.info/unhide-linux26.html)
mentions options like "-f" and "-v".



That options are unworkable under unhide-package from Debian Squeeze:
$sudo unhide -v sys
Unhide 20100201
http://www.security-projects.com/?Unhide



Install the 2011-01-13 version from source?

--
"Neither the wisest constitution nor the wisest laws will secure
the liberty and happiness of a people whose manners are universally
corrupt."
Samuel Adams, essay in The Public Advertiser, 1749


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D9E964F.3040601@cox.net">http://lists.debian.org/4D9E964F.3040601@cox.net

green 04-08-2011 02:15 PM

What is the hidden process?
 
James Brown wrote at 2011-04-07 23:43 -0500:
> On 08.04.2011 03:20, green wrote:
> > James Brown wrote at 2011-04-07 21:50 -0500:
> >> `unhide` define that there is a hidden process in my system, but don't
> >> indicate it concretely:
> >
> >> HIDDEN Processes Found: 1
> >
> > Hmm, interesting. Same result here with sys method, buth nothing is detected
> > using the proc and brute methods.
>
> Yes, only with sys method. Your system is 'squeeze' too? (I had no such
> result under lenny).

Yes, Debian squeeze x64.

Brad Alexander 04-08-2011 02:32 PM

What is the hidden process?
 
Is this happening on every scan? Is it possible that it is a process that either starts or ends during the scan, so that ps sees it but by the time the /proc check occurs, it is gone or vice versa? I had not heard of unhide until this thread, but OSSEC has a similar feature, and I have seen this on my mailserver. The conclusion I came to is a routine (but short) process (such as postfix attempting to deliver mail) was firing and/or ending during the scan to cause the false positive?


I'll take a look at unhide.

--b

On Fri, Apr 8, 2011 at 10:15 AM, green <greenfreedom10@gmail.com> wrote:

James Brown wrote at 2011-04-07 23:43 -0500:

> On 08.04.2011 03:20, green wrote:

> > James Brown wrote at 2011-04-07 21:50 -0500:

> >> `unhide` define that there is a hidden process in my system, but don't

> >> indicate it concretely:

> >

> >> HIDDEN Processes Found: 1

> >

> > Hmm, interesting. *Same result here with sys method, buth nothing is detected

> > using the proc and brute methods.

>

> Yes, only with sys method. Your system is 'squeeze' too? (I had no such

> result under lenny).



Yes, Debian squeeze x64.


-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.10 (GNU/Linux)



iEYEARECAAYFAk2fGG4ACgkQ682C琓ﺡᎴ쀧誥౦鬾 聼胕䣑벖핞

UPYAniF3vgZC5EV2qv0nigSwBJQtD7sg

=fSlu

-----END PGP SIGNATURE-----

Wayne Topa 04-08-2011 02:47 PM

What is the hidden process?
 
On 04/07/2011 10:50 PM, James Brown wrote:

`unhide` define that there is a hidden process in my system, but don't
indicate it concretely:

~$ sudo unhide sys
Unhide 20100201
http://www.security-projects.com/?Unhide

[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning

HIDDEN Processes Found: 1



How can I find out what is that process?




Maybe
unhide-posix sys

Which works here with version 20100201-1

WT


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D9F1FF4.4070903@gmail.com">http://lists.debian.org/4D9F1FF4.4070903@gmail.com

James Brown 04-08-2011 04:31 PM

What is the hidden process?
 
On 08.04.2011 14:32, Brad Alexander wrote:
> Is this happening on every scan?

Yes.

Is it possible that it is a process that
> either starts or ends during the scan, so that ps sees it but by the time
> the /proc check occurs, it is gone or vice versa? I had not heard of unhide
> until this thread, but OSSEC has a similar feature, and I have seen this on
> my mailserver. The conclusion I came to is a routine (but short) process
> (such as postfix attempting to deliver mail) was firing and/or ending during
> the scan to cause the false positive?
>
> I'll take a look at unhide.
>
> --b
Thanks, I'll try to define what is that process.
>
> On Fri, Apr 8, 2011 at 10:15 AM, green <greenfreedom10@gmail.com> wrote:
>
>> James Brown wrote at 2011-04-07 23:43 -0500:
>>> On 08.04.2011 03:20, green wrote:
>>>> James Brown wrote at 2011-04-07 21:50 -0500:
>>>>> `unhide` define that there is a hidden process in my system, but don't
>>>>> indicate it concretely:
>>>>
>>>>> HIDDEN Processes Found: 1
>>>>
>>>> Hmm, interesting. Same result here with sys method, buth nothing is
>> detected
>>>> using the proc and brute methods.
>>>
>>> Yes, only with sys method. Your system is 'squeeze' too? (I had no such
>>> result under lenny).
>>
>> Yes, Debian squeeze x64.
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iEYEARECAAYFAk2fGG4ACgkQ682C琓ﺡᎴ쀧誥౦鬾 聼胕䣑벖핞
>> UPYAniF3vgZC5EV2qv0nigSwBJQtD7sg
>> =fSlu
>> -----END PGP SIGNATURE-----
>>
>>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D9F3858.6050700@gmail.com">http://lists.debian.org/4D9F3858.6050700@gmail.com


All times are GMT. The time now is 10:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.