Hi UnSpawn,
Le 16/09/2010 17:32, unsp...@hushmail.com a écrit :
> Personally, but that's my opinion, I value accuracy over speed. Do
> I read correctly from your reply you say that after running tests
> you conclude both tools end results are the same?
>
I'm not totally sure about the 2 tools you refer to.
If you meant unhide.rb and the quick test of unhide, I can't be sure.
I've never use unhide.rb, I just look at the source after reading your
first post.
Johan Walles created a fake rootkit with a scripted ps which hides the
last process.
As unhide.rb executes ps only one time at its start, it detects a
suspicious process.
unhide quick, on the opposite, execute ps for each existing process. So
the hidden
process is ps itself not the process unhide looks for. There is no
detection.
For the very same reason, short live processes which disappeared after
ps is called
in unhide.rb are seen as suspicious (false positives). "unhide quick"
will with a great
probability not report them.
The tools are not the same but are globally very similar. All the tests
done by unhide.rb
are also done by unhide quick with one exception. But the result of this
test is
not very discriminatory (yes/nil not yes/no). It is replaced by another
test in unhide quick.
In the first place, Johan created unhide.rb because he finds that
"unhide sys" was way
too long. That why I mentioned the speed of the quick test. I also value
accuracy over
speed :) but if you can get the best of both ...
If you meant the quick test against the sys + proc test of unhide, the
quick one does
all subtest done by sys and proc plus another one. The difference is
that proc and sys
tests try very hard to avoid FP by doing double checks. On the other
hand the quick test
relies mostly on its speed to avoid FP.
On my system, which fortunately isn't infected by a rootkit, result for
quick and proc+sys
are the same :-)
On a totally different subject, rkhunter uses :
HIDDEN_PROCS=`${UNHIDE_CMD} sys | grep '^F' | awk -F':' '{ print $2 }'`
which is fine in all cases but one where "unhide sys" output is :
"HIDDEN Processes Found: number_of_hidden_processes"
I hope I answer your questions.
Best regards,
Patrick
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
