On Thursday 28 July 2011 5:16:47 pm John Horne wrote:
> On Thu, 2011-07-28 at 11:11 -0400, Dimitri Yioulos wrote:
> > I understand perfectly that rkhunter depends on unhide to
> > find hidden network ports, and I have no reason to believe
> > that unhide doesn't work as advertised. I did update to the
> > latest version, btw, put it still returns the same
> > information.
> >
> > ANY assistance you or anyone can give me to try and resolve
> > this would be greatly appreciated.
>
> It may be overkill but you could try running unhide via strace
> to see what is going on. Something like: strace -f unhide sys
>
> You may well want to capture all the output into a file. Use
> the 'unhide' command rather than 'unhide-tcp' as 'unhide-tcp'
> does not look for the program name associated with a found PID.
>
> Of course you could also try running strace on one of the found
> PIDs. Eg: strace -p 900
>
>
>
>
> John.
>
> --
> John Horne, University of Plymouth, UK
> Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
>
>
> ---------------------------------------------------------------
>--------------- Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help
> often. Plus, you'll get a chance to win $100 to spend on
> ThinkGeek. http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
John and Yago,
Aha! John, I ran "strace -o traceout.txt -f unhide sys". It
wasn't the output to the file that gave me the clue as to what
was causing the issue but, rather, the limited output that
occurred to stdout. It suggested that there were hidden PIDs
related to Java, e.g.:
Found HIDDEN PID: 2446
Command: /usr/java/jdk1.5.0_11/bin/java
Now, we do have a couple of Java-based applications running on
this machine (yes, the JDK is older, but we don't necessarily
want to tinker with, or upgrade it, as at least one app which
relies on it is older, and does work well). I stopped each, in
turn, and found that the hidden port went away when a particular
program was stopped. Interestingly enough, though, the hidden
port hasn't reappeared since we started, and used, the app. That
would suggest, as per Yago ("sometimes when a program release(s)
a socket because its ends, the kernel doesn't release the port"),
that there may be a bug somewhere. We could live with that, as
long as we can whitelist the port or app. I know that it's
possible in rkhunter.
We'll see what happens going forward. I'll update with further
information, if warranted.
Thank you both very much for your help and insights.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
