What is the hidden process?
`unhide` define that there is a hidden process in my system, but don't
indicate it concretely: > ~$ sudo unhide sys > Unhide 20100201 > http://www.security-projects.com/?Unhide > > >[*]Searching for Hidden processes through kill(..,0) scanning > >[*]Searching for Hidden processes through comparison of results of system calls > >[*]Searching for Hidden processes through getpriority() scanning > >[*]Searching for Hidden processes through getpgid() scanning > >[*]Searching for Hidden processes through getsid() scanning > >[*]Searching for Hidden processes through sched_getaffinity() scanning > >[*]Searching for Hidden processes through sched_getparam() scanning > >[*]Searching for Hidden processes through sched_getscheduler() scanning > >[*]Searching for Hidden processes through sched_rr_get_interval() scanning > >[*]Searching for Hidden processes through sysinfo() scanning > > HIDDEN Processes Found: 1 How can I find out what is that process? -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9E7800.3070504@gmail.com">http://lists.debian.org/4D9E7800.3070504@gmail.com |
What is the hidden process?
James Brown wrote at 2011-04-07 21:50 -0500:
> `unhide` define that there is a hidden process in my system, but don't > indicate it concretely: > HIDDEN Processes Found: 1 Hmm, interesting. Same result here with sys method, buth nothing is detected using the proc and brute methods. |
What is the hidden process?
On 04/07/2011 09:50 PM, James Brown wrote:
`unhide` define that there is a hidden process in my system, but don't indicate it concretely: ~$ sudo unhide sys Unhide 20100201 http://www.security-projects.com/?Unhide [snip] [*]Searching for Hidden processes through sysinfo() scanning HIDDEN Processes Found: 1 How can I find out what is that process? The man page (http://www.unhide-forensics.info/unhide-linux26.html) mentions options like "-f" and "-v". -- "Neither the wisest constitution nor the wisest laws will secure the liberty and happiness of a people whose manners are universally corrupt." Samuel Adams, essay in The Public Advertiser, 1749 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9E7F17.5010101@cox.net">http://lists.debian.org/4D9E7F17.5010101@cox.net |
What is the hidden process?
On 08.04.2011 03:20, green wrote:
> James Brown wrote at 2011-04-07 21:50 -0500: >> `unhide` define that there is a hidden process in my system, but don't >> indicate it concretely: > >> HIDDEN Processes Found: 1 > > Hmm, interesting. Same result here with sys method, buth nothing is detected > using the proc and brute methods. Yes, only with sys method. Your system is 'squeeze' too? (I had no such result under lenny). -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9E9280.8090208@gmail.com">http://lists.debian.org/4D9E9280.8090208@gmail.com |
What is the hidden process?
On 08.04.2011 03:20, Ron Johnson wrote:
> On 04/07/2011 09:50 PM, James Brown wrote: >> `unhide` define that there is a hidden process in my system, but don't >> indicate it concretely: >>> ~$ sudo unhide sys >>> Unhide 20100201 >>> http://www.security-projects.com/?Unhide >>> >>> > [snip] >>> >>>[*]Searching for Hidden processes through sysinfo() scanning >>> >>> HIDDEN Processes Found: 1 >> >> >> How can I find out what is that process? >> > > The man page (http://www.unhide-forensics.info/unhide-linux26.html) > mentions options like "-f" and "-v". > That options are unworkable under unhide-package from Debian Squeeze: $sudo unhide -v sys Unhide 20100201 http://www.security-projects.com/?Unhide usage: unhide proc | sys | brute $apt-cache policy unhide unhide: Installed: 20100201-1 Candidate: 20100201-1 Version table: *** 20100201-1 0 990 http://ftp.debian.org/debian/ squeeze/main amd64 Packages 100 /var/lib/dpkg/status -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9E93FB.1080605@gmail.com">http://lists.debian.org/4D9E93FB.1080605@gmail.com |
What is the hidden process?
On 04/07/2011 11:50 PM, James Brown wrote:
On 08.04.2011 03:20, Ron Johnson wrote: On 04/07/2011 09:50 PM, James Brown wrote: `unhide` define that there is a hidden process in my system, but don't indicate it concretely: ~$ sudo unhide sys Unhide 20100201 http://www.security-projects.com/?Unhide [snip] [*]Searching for Hidden processes through sysinfo() scanning HIDDEN Processes Found: 1 How can I find out what is that process? The man page (http://www.unhide-forensics.info/unhide-linux26.html) mentions options like "-f" and "-v". That options are unworkable under unhide-package from Debian Squeeze: $sudo unhide -v sys Unhide 20100201 http://www.security-projects.com/?Unhide Install the 2011-01-13 version from source? -- "Neither the wisest constitution nor the wisest laws will secure the liberty and happiness of a people whose manners are universally corrupt." Samuel Adams, essay in The Public Advertiser, 1749 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9E964F.3040601@cox.net">http://lists.debian.org/4D9E964F.3040601@cox.net |
What is the hidden process?
James Brown wrote at 2011-04-07 23:43 -0500:
> On 08.04.2011 03:20, green wrote: > > James Brown wrote at 2011-04-07 21:50 -0500: > >> `unhide` define that there is a hidden process in my system, but don't > >> indicate it concretely: > > > >> HIDDEN Processes Found: 1 > > > > Hmm, interesting. Same result here with sys method, buth nothing is detected > > using the proc and brute methods. > > Yes, only with sys method. Your system is 'squeeze' too? (I had no such > result under lenny). Yes, Debian squeeze x64. |
What is the hidden process?
Is this happening on every scan? Is it possible that it is a process that either starts or ends during the scan, so that ps sees it but by the time the /proc check occurs, it is gone or vice versa? I had not heard of unhide until this thread, but OSSEC has a similar feature, and I have seen this on my mailserver. The conclusion I came to is a routine (but short) process (such as postfix attempting to deliver mail) was firing and/or ending during the scan to cause the false positive?
I'll take a look at unhide. --b On Fri, Apr 8, 2011 at 10:15 AM, green <greenfreedom10@gmail.com> wrote: James Brown wrote at 2011-04-07 23:43 -0500: > On 08.04.2011 03:20, green wrote: > > James Brown wrote at 2011-04-07 21:50 -0500: > >> `unhide` define that there is a hidden process in my system, but don't > >> indicate it concretely: > > > >> HIDDEN Processes Found: 1 > > > > Hmm, interesting. *Same result here with sys method, buth nothing is detected > > using the proc and brute methods. > > Yes, only with sys method. Your system is 'squeeze' too? (I had no such > result under lenny). Yes, Debian squeeze x64. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk2fGG4ACgkQ682C琓ﺡᎴ쀧誥౦鬾 聼胕䣑벖핞 UPYAniF3vgZC5EV2qv0nigSwBJQtD7sg =fSlu -----END PGP SIGNATURE----- |
What is the hidden process?
On 04/07/2011 10:50 PM, James Brown wrote:
`unhide` define that there is a hidden process in my system, but don't indicate it concretely: ~$ sudo unhide sys Unhide 20100201 http://www.security-projects.com/?Unhide [*]Searching for Hidden processes through kill(..,0) scanning [*]Searching for Hidden processes through comparison of results of system calls [*]Searching for Hidden processes through getpriority() scanning [*]Searching for Hidden processes through getpgid() scanning [*]Searching for Hidden processes through getsid() scanning [*]Searching for Hidden processes through sched_getaffinity() scanning [*]Searching for Hidden processes through sched_getparam() scanning [*]Searching for Hidden processes through sched_getscheduler() scanning [*]Searching for Hidden processes through sched_rr_get_interval() scanning [*]Searching for Hidden processes through sysinfo() scanning HIDDEN Processes Found: 1 How can I find out what is that process? Maybe unhide-posix sys Which works here with version 20100201-1 WT -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9F1FF4.4070903@gmail.com">http://lists.debian.org/4D9F1FF4.4070903@gmail.com |
What is the hidden process?
On 08.04.2011 14:32, Brad Alexander wrote:
> Is this happening on every scan? Yes. Is it possible that it is a process that > either starts or ends during the scan, so that ps sees it but by the time > the /proc check occurs, it is gone or vice versa? I had not heard of unhide > until this thread, but OSSEC has a similar feature, and I have seen this on > my mailserver. The conclusion I came to is a routine (but short) process > (such as postfix attempting to deliver mail) was firing and/or ending during > the scan to cause the false positive? > > I'll take a look at unhide. > > --b Thanks, I'll try to define what is that process. > > On Fri, Apr 8, 2011 at 10:15 AM, green <greenfreedom10@gmail.com> wrote: > >> James Brown wrote at 2011-04-07 23:43 -0500: >>> On 08.04.2011 03:20, green wrote: >>>> James Brown wrote at 2011-04-07 21:50 -0500: >>>>> `unhide` define that there is a hidden process in my system, but don't >>>>> indicate it concretely: >>>> >>>>> HIDDEN Processes Found: 1 >>>> >>>> Hmm, interesting. Same result here with sys method, buth nothing is >> detected >>>> using the proc and brute methods. >>> >>> Yes, only with sys method. Your system is 'squeeze' too? (I had no such >>> result under lenny). >> >> Yes, Debian squeeze x64. >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> >> iEYEARECAAYFAk2fGG4ACgkQ682C琓ﺡᎴ쀧誥౦鬾 聼胕䣑벖핞 >> UPYAniF3vgZC5EV2qv0nigSwBJQtD7sg >> =fSlu >> -----END PGP SIGNATURE----- >> >> > -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D9F3858.6050700@gmail.com">http://lists.debian.org/4D9F3858.6050700@gmail.com |
| All times are GMT. The time now is 12:51 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.