|
home :
about :
rss :
spamgourmet
: otherdog studio
animals : anything : elsewhere : food : music : reading : restaurants : tech |
| chkrootkit shows hidden processes | 2008-10-13 17:43 UTC |
|
I run the awesome chkrootkit tool (as suggested by Syskoll) as part of a balanced breakfast of making sure I don't (or didn't, in this case) get hacked.
It sometimes likes to report hidden processes, like: Checking `lkm'... You have 2 process hidden for readdir commandHey - that's spooky, right? A process that's hidden from view may indicate a process that was installed by someone other than you, and who knows what it's doing?!?! So of course, I looked into it. To do the check for these processes, it appears that chkrootkit checks in the /proc directory to see all the process numbers there (the /proc "special filesystem" keeps runtime info about processes that are being executed -- to see, go there, and go into a directory that is a number (the process number) and look at the "files" that provide metadata about the running processes -- cool, huh?). When a process has completed running, the directory disappears, naturally, and is also no longer visisible in ps, for example. What's happening for me is that I have a lot of processes running for very short periods of time and exiting -- when chkrootkit is looking at proc, one set of processes will be active, but then when it goes to compare the list to what's in ps, the list will have changed, due to the normal sub-fruit-fly lifespans of the processes. But when chkrootkit sees a discrepancy between the two lists, it will report finding hidden processes. Truth is: the processes that chkrootkit believes are hidden, because it just saw them in /proc, but doesn't see them in ps, are actually gone - no longer in /proc either. Maybe a double check would help? Dunno. Does this mean you can ignore the report? No way -- but it's worth knowing that these false positives are a possibility as you look into things. |
|
| /tech discuss (2) permanent link | |
| google chrome | 2008-09-02 21:20 UTC |
|
currently surfing with the Google Chrome web browser (only works in windows for now) - pretty cool so far. I'm reading through the comic strip that describes the engineering decisions (here) and every time I click on the arrow to advance a page, it advances two pages, and I have to go "back" - funny.
When I was in law school in 1993 (and for the next few years), I worked in the "Legal Information Institute", and we had what I still think is the first web browser for MS Windows, called Cello - (read more here) but we forgot it like a dentist appointment when mosaic for windows (and then Netscape) came out. It occurred to me that, besided lynx, pretty much all current web browsers shared a common ancestry (Mosaic, that is), and that the "aboriginal" browsers, like Cello, had all died out. But here's a new one -- that's kind of big deal, really. Can't wait to try it on a mac. |
|
| /tech discuss (2) permanent link | |
| posting from minivan | 2008-08-03 19:40 UTC |
| on vacation - got the macbook connecting to the internet via bluetooth. Currently rolling down I10 west of Fort Stockton (Jane's driving). Not too much bandwidth, but it's still pretty cool. | |
| /tech discuss (0) permanent link | |
| world adaptor + usb charger | 2008-06-28 13:02 UTC | ||
|
|||
| /tech discuss (0) permanent link | |||
| i don't trust itunes | 2008-05-30 13:07 UTC |
| I use WinXP at work, and at one point I installed iTunes so I could listen to someone's song or something like that. Doing some cleanup now, and I notice it seems to have a bunch of related processes running and ports open, and when I went to uninstall it, I got a dialog box about halfway through the process saying I needed to close my MS outlook inbox before the uninstall could be completed. What was iTunes doing with my email??? No sir, don't trust it. I wonder if I can get it off my mac. | |
| /tech discuss (1) permanent link | |
