Hi,
I'm one of the contributors of unhide.
I'd like to add some words to those of Yago.
I have a look at unhide.rb source.
It seems it's based on the same idea than the "quick" test of the next
version of unhide-linux26.
It's basically a fast comparison of all the methods which can detect a
process.
The main difference I see is that unhide.rb run ps once at start when
unhide-linux26 uses it on the fly via a pipe.
I think the latest way should give less false positives but I may be wrong.
In fact, for now, I have never seen a false positive with the quick test.
About the concern of Johan Walles, the quick test is about 20 time
faster than sys + proc tests.
My 2 cents.
Cheers.
Patrick.
Le 14/09/2010 15:59, John Horne a écrit :
>
> I seem to get quite a few FP's from this:
>
> # unhide.rb
> ...
> Suspicious PID 13864:
> Seen by ps ("/usr/bin/ruby")
> Seen by /proc ("/usr/bin/ruby")
> Seen by /proc tasks ("/usr/bin/ruby")
> Seen by getsid()
> Seen by getpgid()
> Seen by getpriority()
> Seen by sched_getparam()
> Not seen by sched_getaffinity()
> Seen by sched_getscheduler()
> Seen by sched_rr_get_interval()
>
> # ps p 13864
> PID TTY STAT TIME COMMAND
>
> # unhide.rb|wc -l
> 3287
>
> # unhide.rb|grep '^ Seen by ps'|wc -l
> 295
>
> I only showed the last PID found, but as can be seen it says it has
> found 295 suspicious PIDs.
>
>
>
> John.
>
>
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
