Hi Fragga, > just a quick question.. if someone were to trojan ps to not show their > processes ( ignoring detection by ChkRootkit for the minute as this is just > a principle matter) then would it still show in /proc or is it possible to > create hidden processes which will not show in there aswell ?
Rootkit which modify the kernel (through LKMs or other methods) can even hide files and folders. On Linux anything is either a file or a folder somewhere on the disk, including /proc and anything within. So yes, rootkits like SuckIT-1.3a (which I just happened to run into on a RaQ4) can be so sneaky that they are next to impossible to detect once they are installed, as they might also hide the processes in /proc. It depends on how sophisticated these rootkits are. See http://la-samhna.de/library/lkm.html for more information. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
