On Sun, 2010-09-12 at 13:52 +0200, unsp...@hushmail.com wrote:
> Hello all,
>
> A long time ago a feature request was made for inclusion of a
> replacement for the "unhide" tool made in Ruby
> (https://sourceforge.net/tracker/?func=detail&aid=2759279&group_id=1
> 55034&atid=794190). This version is availabe from
> https://launchpad.net/unhide.rb and I'd like to see if anybody on
> this list would be willing to test-drive it.
>
I seem to get quite a few FP's from this:
# unhide.rb
...
Suspicious PID 13864:
Seen by ps ("/usr/bin/ruby")
Seen by /proc ("/usr/bin/ruby")
Seen by /proc tasks ("/usr/bin/ruby")
Seen by getsid()
Seen by getpgid()
Seen by getpriority()
Seen by sched_getparam()
Not seen by sched_getaffinity()
Seen by sched_getscheduler()
Seen by sched_rr_get_interval()
# ps p 13864
PID TTY STAT TIME COMMAND
# unhide.rb|wc -l
3287
# unhide.rb|grep '^ Seen by ps'|wc -l
295
I only showed the last PID found, but as can be seen it says it has
found 295 suspicious PIDs.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
