Discovered multiple short term, 5-10 secs, hidden processes appearing on my system - Linux localhost 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008 x86_64 GNU/Linux. Checked logs. Checked PC with top, htop, ps and then system rkhunter and chkrootkit . Also tried rkhunter and chkrootkit from a livecd. In all checks no problems found. Intermittently these processes stop.


So not sure if this is some sort of false positive or if it is something that evades rootkit checks and I have a problem.
*
Anyway I'm going to wipe my installation and start again as a precaution but if anyone has any opinions what's going on I'd be interested to read.




--
rob


http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1

On Sun, Apr 13, 2008 at 12:35:28AM +0100, Robin wrote:
> Discovered multiple short term, 5-10 secs, hidden processes appearing on my
> system - Linux localhost 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008
> x86_64 GNU/Linux. Checked logs. Checked PC with top, htop, ps and then
> system rkhunter and chkrootkit . Also tried rkhunter and chkrootkit from a
> livecd. In all checks no problems found. Intermittently these processes
> stop.

If they are hidden, how do you see them?

What exactly is the command you run? What is the output?

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 13/04/2008, Tzafrir Cohen <tzafrir@cohens.org.il> wrote:
On Sun, Apr 13, 2008 at 12:35:28AM +0100, Robin wrote:
> Discovered multiple short term, 5-10 secs, hidden processes appearing on my
> system - Linux localhost 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008

> x86_64 GNU/Linux. Checked logs. Checked PC with top, htop, ps and then
> system rkhunter and chkrootkit . Also tried rkhunter and chkrootkit from a
> livecd. In all checks no problems found. Intermittently these processes

> stop.


If they are hidden, how do you see them?

What exactly is the command you run? What is the output?

--
Tzafrir Cohen******** | tzafrir@jabber.org | VIM is

http://tzafrir.org.il |********************| a Mutt's
tzafrir@cohens.org.il |********************|**best
ICQ# 16849754******** |********************| friend





Noticed that cpu running at 15% with no user applications running. Checked top which reported nothing running at that level. Ran:

unhide proc :- Which gives intermittent hidden processes


unhide sys* :-*[*]Searching for Hidden processes through getsid() scanning
******************************* Found HIDDEN PID: 16356
**************************
**************************[*]Searching for Hidden processes through sched_getscheduler() scanning

******************************* Found HIDDEN PID: 17408

unhide brute :-[*]Starting scanning using brute force against PIDS
******************************* Found HIDDEN PID: 2216
******************************* Found HIDDEN PID: 2503


Thanks
--
rob


http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1

On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:
> unhide proc :- Which gives intermittent hidden processes
> unhide sys :-[*]Searching for Hidden processes through getsid() scanning
> Found HIDDEN PID: 16356
>[*]Searching for Hidden processes through sched_getscheduler() scanning
> Found HIDDEN PID: 17408
> unhide brute :-[*]Starting scanning using brute force against PIDS
> Found HIDDEN PID: 2216
> Found HIDDEN PID: 2503

You could also try
netatst -anp|less
unhide-tcp

If someone hacked the box, probably a net process was used to enter and
new net processes are spanned.

Moreover:

apt-cache search forensic

Linkname: Securing Debian Manual
URL: http://www.debian.org/doc/user-manuals#securing

might give further ideas

--
Chi usa software non libero avvelena anche te. Digli di smettere.
Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale.
Informatica=bomba: intelligente solo per gli stupidi che ci credono.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 13/04/2008, NN_il_Confusionario <pinkof.pallus@tiscalinet.it> wrote:
On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:
> unhide proc :- Which gives intermittent hidden processes
> unhide sys**:-**[*]Searching for Hidden processes through getsid() scanning
>******************************** Found HIDDEN PID: 16356

>****************[*]Searching for Hidden processes through sched_getscheduler() scanning
>******************************** Found HIDDEN PID: 17408
> unhide brute :-[*]Starting scanning using brute force against PIDS

>******************************** Found HIDDEN PID: 2216
>******************************** Found HIDDEN PID: 2503


You could also try
netatst -anp|less
unhide-tcp

If someone hacked the box, probably a net process was used to enter and

new net processes are spanned.

Moreover:

**apt-cache search forensic

** Linkname: Securing Debian Manual
********URL: http://www.debian.org/doc/user-manuals#securing


might give further ideas
*
Thanks I'll investigate.
--
rob


http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1

On Sun, Apr 13, 2008 at 05:31:53PM +0100, Robin wrote:
> On 13/04/2008, NN_il_Confusionario <pinkof.pallus@tiscalinet.it> wrote:
> >
> > On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:
> > > unhide proc :- Which gives intermittent hidden processes
> > > unhide sys :-[*]Searching for Hidden processes through getsid()
> > scanning
> > > Found HIDDEN PID: 16356
> > >[*]Searching for Hidden processes through
> > sched_getscheduler() scanning
> > > Found HIDDEN PID: 17408
> > > unhide brute :-[*]Starting scanning using brute force against PIDS
> > > Found HIDDEN PID: 2216
> > > Found HIDDEN PID: 2503
> >
> >
> > You could also try
> > netatst -anp|less
> > unhide-tcp
> >
> > If someone hacked the box, probably a net process was used to enter and
> > new net processes are spanned.
> >
> > Moreover:
> >
> > apt-cache search forensic
> >
> > Linkname: Securing Debian Manual
> > URL: http://www.debian.org/doc/user-manuals#securing
> >
> > might give further ideas

I downloaded this and installed it, just to try (unhide) and it found
lots of hidden processes through unhide sys.

different pids each time. so i ran this

>/tmp/thelist; for x in $(seq 1 2000); do echo 1 >/dev/null & echo $! >> /tmp/thelist ; done

out of curiosity, it did not miss a pid, which makes me think unhide
raises a lot of false positives ?


>
>
>
>
> Thanks I'll investigate.
> --
> rob
>
>
> http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1

--
18th Rule of Friendship:
A friend will let you hold the ladder while he goes up on the roof
to install your new aerial, which is the biggest son-of-a-bitch you
ever saw.
-- Esquire, May 1977

On 13/04/2008, Alex Samad <alex@samad.com.au> wrote:
On Sun, Apr 13, 2008 at 05:31:53PM +0100, Robin wrote:
> On 13/04/2008, NN_il_Confusionario <pinkof.pallus@tiscalinet.it> wrote:
> >
> > On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote:

> > > unhide proc :- Which gives intermittent hidden processes
> > > unhide sys**:-**[*]Searching for Hidden processes through getsid()
> > scanning
> > >******************************** Found HIDDEN PID: 16356

> > >****************[*]Searching for Hidden processes through
> > sched_getscheduler() scanning
> > >******************************** Found HIDDEN PID: 17408
> > > unhide brute :-[*]Starting scanning using brute force against PIDS

> > >******************************** Found HIDDEN PID: 2216
> > >******************************** Found HIDDEN PID: 2503
> >
> >
> > You could also try
> > netatst -anp|less

> > unhide-tcp
> >
> > If someone hacked the box, probably a net process was used to enter and
> > new net processes are spanned.
> >
> > Moreover:
> >

> >** apt-cache search forensic
> >
> >****Linkname: Securing Debian Manual
> >******** URL: http://www.debian.org/doc/user-manuals#securing

> >
> > might give further ideas


I downloaded this and installed it, just to try (unhide) and it found
lots of hidden processes through unhide sys.

different pids each time. so i ran this


**>/tmp/thelist; for x in $(seq 1 2000); do echo 1 >/dev/null & echo $! >> /tmp/thelist ; done

out of curiosity, it did not miss a pid, which makes me think unhide
raises a lot of false positives ?

I'm coming to that conclusion. Netstat showed nothing suspicious.

Thanks to all

--
rob


http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1