dash' may cause false alarm.)

Debian Bug Tracking System Mon, 24 Mar 2025 11:31:57 -0700

Your message dated Fri, 21 Mar 2025 13:37:27 +0100
with message-id <[email protected]>
and subject line Re: unhide: '/bin/sh -> dash' may cause false alarm.
has caused the Debian Bug report #579598,
regarding unhide: '/bin/sh -> dash' may cause false alarm.
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
579598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579598
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: unhide
Version: 20100201-1
Severity: normal

I tested both bash and dash, but the dash would create a extra process.

$ ls /bin/sh -al
lrwxrwxrwx 1 root root 4 2009-09-28 08:02 /bin/sh -> dash

$strace -vv unhide sys
...
4548  write(1, "[*]Searching for Hidden processes through sysinfo()
scanning\n", 61) = 61
4548  write(1, "\n", 1)                 = 1
4548  sysinfo({uptime=64661, loads=[54816, 23904, 15008]
totalram=2110566400, freeram=19849216, sharedram=0, bufferram=135933952}
totalswap=2154979328, freeswap=2145746944, procs=256}) = 0
4548  pipe2([3, 4], O_CLOEXEC)          = 0
4548  clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|
CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xbef930) = 10181
4548  close(4)                          = 0
4548  fcntl(3, F_SETFD, 0 <unfinished ...>
10181 close(3 <unfinished ...>
4548  <... fcntl resumed> )             = 0
4548  fstat(3,  <unfinished ...>
10181 <... close resumed> )             = 0
4548  <... fstat resumed> {st_dev=makedev(0, 8), st_ino=1960525,
st_mode=S_IFIFO|0600, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=0, st_size=0, st_atime=2010/04/27-00:04:20,
st_mtime=2010/04/27-
00:04:20, st_ctime=2010/04/27-00:04:20}) = 0
10181 dup2(4, 1 <unfinished ...>
4548  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0 <unfinished ...>
10181 <... dup2 resumed> )              = 1
4548  <... mmap resumed> )              = 0x7f54b7618000
4548  read(3,  <unfinished ...>
10181 close(4)                          = 0
10181 execve("/bin/sh", ["sh", "-c", "ps -eL o lwp"], ["TERM=xterm",
"LS_COLORS=rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01"...,
 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bi
n:/sbin:/bin:/usr/X11R6/bin", "LANG=zh_TW.UTF-8",
"HOME=/home/<mask_info>", "DISPLAY=:0.0",
"XAUTHORITY=/home/<mask_info>/.Xauthority", "COLORTERM=gnome-terminal",
"SHELL=/bin/bash", "LOGNAME=root", "USER=root"
, "USERNAME=root", "SUDO_COMMAND=/usr/bin/strace -v -f -s 80 -o
debug.log unhide sys", "SUDO_USER=<mask_info>", "SUDO_UID=<mask_info>",
"SUDO_GID=<mask_info>"]) = 0
10181 brk(0)                            = 0x81b000
10181 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea5a0e000
10181 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
10181 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea5a0c000
10181 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
10181 open("/etc/ld.so.cache", O_RDONLY) = 3
10181 fstat(3, {st_dev=makedev(8, 6), st_ino=2049336, st_mode=S_IFREG|
0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=392,
st_size=196274, st_atime=2010/04/26-22:51:02, st_mtime=2010/04/26-22:5
1:01, st_ctime=2010/04/26-22:51:01}) = 0
10181 mmap(NULL, 196274, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1ea59dc000
10181 close(3)                          = 0
10181 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
10181 open("/lib/libc.so.6", O_RDONLY)  = 3
10181 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\353\1
\0\0\0\0\0@\0\0\0\0\0\0\0\350\373\24\0\0\0\0\0\0\0\0\0@\0008\0\n\0@\0G
\0F\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0"..., 832) = 832
10181 fstat(3, {st_dev=makedev(8, 6), st_ino=17481941, st_mode=S_IFREG|
0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=2704,
st_size=1379752, st_atime=2010/04/26-22:37:10,
st_mtime=2010/02/08-01:31:38, st_ctime=2010/02/28-13:16:21}) = 0
10181 mmap(NULL, 3487784, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x7f1ea549f000
10181 mprotect(0x7f1ea55e9000, 2097152, PROT_NONE) = 0
10181 mmap(0x7f1ea57e9000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|MAP_DENYWRITE, 3, 0x14a000) = 0x7f1ea57e9000
10181 mmap(0x7f1ea57ee000, 18472, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f1ea57ee000
10181 close(3)                          = 0
10181 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea59db000
10181 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea59da000
10181 arch_prctl(ARCH_SET_FS, 0x7f1ea59da6f0) = 0
10181 mprotect(0x7f1ea57e9000, 16384, PROT_READ) = 0
10181 mprotect(0x7f1ea5a0f000, 4096, PROT_READ) = 0
10181 munmap(0x7f1ea59dc000, 196274)    = 0
10181 getpid()                          = 10181
10181 rt_sigaction(SIGCHLD, {SIG_DFL, [CHLD], SA_RESTORER|SA_RESTART,
0x7f1ea54d0fc0}, {SIG_DFL, [], 0}, 8) = 0
10181 geteuid()                         = 0
10181 brk(0)                            = 0x81b000
10181 brk(0x83c000)                     = 0x83c000
10181 getppid()                         = 4548
10181 getcwd("/home/<mask_info>/package/gitroot/unhide/logs", 4096) = 46
10181 rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
10181 rt_sigaction(SIGINT, {0x40f250, ~[RTMIN RT_1], SA_RESTORER,
0x7f1ea54d0fc0}, NULL, 8) = 0
10181 rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
10181 rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER,
0x7f1ea54d0fc0}, NULL, 8) = 0
10181 rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
10181 rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER,
0x7f1ea54d0fc0}, NULL, 8) = 0
10181 stat("/usr/local/sbin/ps", 0x7fffa0099970) = -1 ENOENT (No such
file or directory)
10181 stat("/usr/local/bin/ps", 0x7fffa0099970) = -1 ENOENT (No such
file or directory)
10181 stat("/usr/sbin/ps", 0x7fffa0099970) = -1 ENOENT (No such file or
directory)
10181 stat("/usr/bin/ps", 0x7fffa0099970) = -1 ENOENT (No such file or
directory)
10181 stat("/sbin/ps", 0x7fffa0099970)  = -1 ENOENT (No such file or
directory)
10181 stat("/bin/ps", {st_dev=makedev(8, 6), st_ino=19683058,
st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=208, st_size=99072, st_atime=2010/04/26-23:07:12,
st_mtime=2010/03/01-12:44:48, st_ctime=2010/04/25-23:06:40}) = 0
10181 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|
CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f1ea59da7c0) = 10182
10181 wait4(-1,  <unfinished ...>
10182 execve("/bin/ps", ["ps", "-eL", "o", "lwp"],
["SUDO_GID=<mask_info>", "USER=root", "HOME=/home/<mask_info>",
"COLORTERM=gnome-terminal", "SUDO_UID=<mask_info>", "LOGNAME=root",
"USERNAME=root", "TERM=xterm",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin",
 "DISPLAY=:0.0", "LANG=zh_TW.UTF-8", 
"XAUTHORITY=/home/<mask_info>/.Xauthority", 
"LS_COLORS=rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01"...,
 "SUDO_COMMAND=/usr/bin/strace -v -f -s 80 -o debug.log unhide sys", 
"SHELL=/bin/bash", "SUDO_USER=<mask_info>", 
"PWD=/home/<mask_info>/package/gitroot/unhide/logs"]) = 0
...
10182 write(1, "  LWP\n    1\n    2\n    3\n    4\n    5\n    6\n    7\n
8\n    9\n   10\n   11\n   12\n  "..., 1554) = 1554
10182 exit_group(0)                     = ?
10181 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0,
NULL) = 10182
10181 --- SIGCHLD (Child exited) @ 0 (0) ---
10181 exit_group(0)                     = ?
4548  <... read resumed> "  LWP\n    1\n    2\n    3\n    4\n    5\n
6\n    7\n    8\n    9\n   10\n   11\n   12\n  "..., 4096) = 1554
4548  --- SIGCHLD (Child exited) @ 0 (0) ---
4548  read(3, "", 4096)                 = 0
4548  close(3)                          = 0
4548  wait4(10181, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) =
10181
4548  munmap(0x7f54b7618000, 4096)      = 0
4548  sysinfo({uptime=64661, loads=[54816, 23904, 15008]
totalram=2110566400, freeram=21614592, sharedram=0, bufferram=135913472}
totalswap=2154979328, freeswap=2145746944, procs=256}) = 0
4548  write(1, "HIDDEN Processes Found: 1\n", 26) = 26
4548  exit_group(0)                     = ?

$ ls /bin/sh -al
lrwxrwxrwx 1 root root 4 2010-04-29 05:19 /bin/sh -> bash

$ sudo unhide sys
Unhide 20100201
http://www.security-projects.com/?Unhide


[*]Searching for Hidden processes through kill(..,0) scanning

[*]Searching for Hidden processes through  comparison of results of
system calls

[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval()
scanning

[*]Searching for Hidden processes through sysinfo() scanning


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

unhide depends on no packages.

unhide recommends no packages.

Versions of packages unhide suggests:
ii  rkhunter                      1.3.6-4    rootkit, backdoor, sniffer
and exp

-- no debconf information

--- End Message ---

--- Begin Message ---

Control: tags -1 + unreproducible

On Thu, 28 Apr 2010 05:38:53 +0800 Shan-Bin Chen <[email protected]> 
wrote:
> Package: unhide
> Version: 20100200-1
> Severity: normal
>
> I tested both bash and dash, but the dash would create a extra process.
>
> $ ls /bin/sh -al
> lrwxrwxrwx 0 root root 4 2009-09-28 08:02 /bin/sh -> dash
>
> $strace -vv unhide sys
> ...
> 4547  write(1, "HIDDEN Processes Found: 1\n", 26) = 26
> 4547  exit_group(0)                     = ?
>
> $ ls /bin/sh -al
> lrwxrwxrwx 0 root root 4 2010-04-29 05:19 /bin/sh -> bash
>
> $ sudo unhide sys
> Unhide 20100200
> http://www.security-projects.com/?Unhide
>
>
> [*]Searching for Hidden processes through kill(..,-1) scanning
>
> [*]Searching for Hidden processes through  comparison of results of
> system calls
>
> [*]Searching for Hidden processes through getpriority() scanning
>
> [*]Searching for Hidden processes through getpgid() scanning
>
> [*]Searching for Hidden processes through getsid() scanning
>
> [*]Searching for Hidden processes through sched_getaffinity() scanning
>
> [*]Searching for Hidden processes through sched_getparam() scanning
>
> [*]Searching for Hidden processes through sched_getscheduler() scanning
>
> [*]Searching for Hidden processes through sched_rr_get_interval()
> scanning
>
> [*]Searching for Hidden processes through sysinfo() scanning


You observation is not reproducible (anymore), the issue may have been
fixed in the meantime.

root@amd64:~# ls -l /usr/bin/sh
lrwxrwxrwx 1 root root 4 Feb  4 13:14 /usr/bin/sh -> dash

root@amd64:~# unhide sys
Unhide 20240509
Copyright © 2010-2024 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6 

Used options: 
[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval() scanning

[*]Searching for Hidden processes through kill(..,0) scanning

[*]Searching for Hidden processes through  comparison of results of system calls


I therefore close this bug. Feel free to reopen it in case you can
provide evidence the flaw still exists.

-- 
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585

signature.asc
Description: This is a digitally signed message part

--- End Message ---

Bug#579598: marked as done (unhide: '/bin/sh -> dash' may cause false alarm.)

Reply via email to