the recursor home : about : rss : spamgourmet : otherdog studio
animals : anything : elsewhere : food : music : reading : restaurants : tech
chkrootkit shows hidden processes 2008-10-13 17:43
I run the awesome chkrootkit tool (as suggested by Syskoll) as part of a balanced breakfast of making sure I don't (or didn't, in this case) get hacked.

It sometimes likes to report hidden processes, like:

Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command

Hey - that's spooky, right? A process that's hidden from view may indicate a process that was installed by someone other than you, and who knows what it's doing?!?!

So of course, I looked into it. To do the check for these processes, it appears that chkrootkit checks in the /proc directory to see all the process numbers there (the /proc "special filesystem" keeps runtime info about processes that are being executed -- to see, go there, and go into a directory that is a number (the process number) and look at the "files" that provide metadata about the running processes -- cool, huh?). When a process has completed running, the directory disappears, naturally, and is also no longer visisible in ps, for example. What's happening for me is that I have a lot of processes running for very short periods of time and exiting -- when chkrootkit is looking at proc, one set of processes will be active, but then when it goes to compare the list to what's in ps, the list will have changed, due to the normal sub-fruit-fly lifespans of the processes. But when chkrootkit sees a discrepancy between the two lists, it will report finding hidden processes. Truth is: the processes that chkrootkit believes are hidden, because it just saw them in /proc, but doesn't see them in ps, are actually gone - no longer in /proc either. Maybe a double check would help? Dunno.

Does this mean you can ignore the report? No way -- but it's worth knowing that these false positives are a possibility as you look into things.
/tech permanent link

2 comments

Tim wrote


They should have locked both checks into a single thread of execution so that it would show properly?

josh wrote


it prolly is single threaded -- just the time it takes between getting the number for the first list and getting the number for the second list.

comment... (no more URLs because of you spammers -- you crazy knuckleheads! You're out of control )

 
Name:
Title: (optional)
Name of this blog:(as a further spam blocking measure, type the name of this blog here)
Comments:
Save my Name for next time