|
home :
about :
rss :
spamgourmet
: otherdog studio
animals : anything : elsewhere : food : music : reading : restaurants : tech |
| chkrootkit shows hidden processes | 2008-10-13 17:43 UTC |
|
I run the awesome chkrootkit tool (as suggested by Syskoll) as part of a balanced breakfast of making sure I don't (or didn't, in this case) get hacked.
It sometimes likes to report hidden processes, like: Checking `lkm'... You have 2 process hidden for readdir commandHey - that's spooky, right? A process that's hidden from view may indicate a process that was installed by someone other than you, and who knows what it's doing?!?! So of course, I looked into it. To do the check for these processes, it appears that chkrootkit checks in the /proc directory to see all the process numbers there (the /proc "special filesystem" keeps runtime info about processes that are being executed -- to see, go there, and go into a directory that is a number (the process number) and look at the "files" that provide metadata about the running processes -- cool, huh?). When a process has completed running, the directory disappears, naturally, and is also no longer visisible in ps, for example. What's happening for me is that I have a lot of processes running for very short periods of time and exiting -- when chkrootkit is looking at proc, one set of processes will be active, but then when it goes to compare the list to what's in ps, the list will have changed, due to the normal sub-fruit-fly lifespans of the processes. But when chkrootkit sees a discrepancy between the two lists, it will report finding hidden processes. Truth is: the processes that chkrootkit believes are hidden, because it just saw them in /proc, but doesn't see them in ps, are actually gone - no longer in /proc either. Maybe a double check would help? Dunno. Does this mean you can ignore the report? No way -- but it's worth knowing that these false positives are a possibility as you look into things. |
|
| /tech discuss (2) permanent link | |
| ceramic caps | 2008-10-13 03:00 UTC | ||
|
|||
| /music discuss (0) permanent link | |||
