Re: Wheezy rkhunter hidden process found
Martin Steigerwald grabbed a keyboard and wrote: > Hi David, > > Am Sonntag, 4. August 2013, 09:25:18 schrieb David Guntner: >> And the saga continues! :-) >> >> In this morning's reports, I found the following notation from rkhunter: >>> Warning: Hidden processes found: >>> HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = > 521 >> >> Is this anything I need to be worried about? And how do I go about >> finding the "hidden" process? Is this a false positive that I should be >> sticking something into the rkhunter.conf file to get it to ignore? > > You could try unhide or unhide.rb to find out more. Running the same unhide command as what showed up in the detailed report (below) resulted in the following: > # unhide sys > Unhide 20110113 > http://www.unhide-forensics.info > [*]Searching for Hidden processes through getpriority() scanning > > [*]Searching for Hidden processes through getpgid() scanning > > [*]Searching for Hidden processes through getsid() scanning > > [*]Searching for Hidden processes through sched_getaffinity() scanning > > [*]Searching for Hidden processes through sched_getparam() scanning > > [*]Searching for Hidden processes through sched_getscheduler() scanning > > [*]Searching for Hidden processes through sched_rr_get_interval() scanning > > [*]Searching for Hidden processes through kill(..,0) scanning > > [*]Searching for Hidden processes through comparison of results of system > calls > > [*]Searching for Hidden processes through sysinfo() scanning > > HIDDEN Processes Found: 1 sysinfo.procs = 644 ps_count = 646 Which, to my eye, really doesn't tell me anything useful > And I´d look at the detailed report of rkhunter as well. > > And I agree it may well be a false positive. I'm fairly certain it's a false positive as well, given that the system *just* got an upgrade, which would pretty much overwrite everything... But I *am* curious as to what the process is, and how to tell rkhunter to ignore that particular thing, if possible. > I have rkhunter on my server and it doesn´t report hidden processes, that > what > much does that say? Here's what's in the actual report. Still doesn't tell me much :-) > [07:56:24] Info: Starting test name 'hidden_procs' > [07:56:24] Info: Found the 'unhide' command: /usr/sbin/unhide > [07:56:24] Info: Found 'unhide' command version: 20110113 > [07:58:40] Using command 'unhide sys'[ Warning ] > [07:58:40] Info: Unable to find the 'unhide.rb' command > [07:58:40] Checking for hidden processes [ Warning ] > [07:58:40] Warning: Hidden processes found: > [07:58:40] HIDDEN Processes Found: 1 sysinfo.procs = 519 > ps_count = 521 --Dave smime.p7s Description: S/MIME Cryptographic Signature
Re: Wheezy rkhunter hidden process found
Hi David, Am Sonntag, 4. August 2013, 09:25:18 schrieb David Guntner: > And the saga continues! :-) > > In this morning's reports, I found the following notation from rkhunter: > > Warning: Hidden processes found: > > HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = 521 > > Is this anything I need to be worried about? And how do I go about > finding the "hidden" process? Is this a false positive that I should be > sticking something into the rkhunter.conf file to get it to ignore? You could try unhide or unhide.rb to find out more. And I´d look at the detailed report of rkhunter as well. And I agree it may well be a false positive. I have rkhunter on my server and it doesn´t report hidden processes, that what much does that say? Ciao, -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 signature.asc Description: This is a digitally signed message part.
Re: Wheezy rkhunter hidden process found
Brian grabbed a keyboard and wrote: > On Sun 04 Aug 2013 at 09:25:18 -0700, David Guntner wrote: > >> And the saga continues! :-) >> >> In this morning's reports, I found the following notation from rkhunter: >> >>> Warning: Hidden processes found: >>> HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = 521 >> >> Is this anything I need to be worried about? And how do I go about >> finding the "hidden" process? Is this a false positive that I should be >> sticking something into the rkhunter.conf file to get it to ignore? > > Nobody should lose a moment's sleep over anything rkhunter reports. It > appears to be designed to produce false positives and alarm its users. > Best thing is to ignore anything it says. Purging it from the system > brings total peace of mind. lol - Don't sugar coat it, Brian; tell us how you *really* feel about rkhunter. :-) I've found in the past that it does have its uses once you tune the .conf file to filter out the things that you expect to be there (/etc/.java, etc.). As an example, it calls attention to new users and groups which have been created. Now, if I installed a new package that includes those users/groups, that's great. But if I *haven't* done something which would create a new user or group, I'm certainly going to want to know about it, since that could be pointing to a bigger problem... I see that I can turn off the hidden process check, but if possible, I'd prefer to find a way to whitelist something that's supposed to be hidden. Of course, if the silly thing isn't going to show me what the hidden process is, it's not as useful. :-) I'll have to look into it further before deciding if I want to turn that off (and for the record, it's off by default when installed; I turned it on back in the squeeze days (and didn't get it protesting about a hidden process then) because it "seemed like a good idea" - if that's no longer the case, then I'll turn that test back off). --Dave smime.p7s Description: S/MIME Cryptographic Signature
Re: Wheezy rkhunter hidden process found
On Sun 04 Aug 2013 at 09:25:18 -0700, David Guntner wrote: > And the saga continues! :-) > > In this morning's reports, I found the following notation from rkhunter: > > > Warning: Hidden processes found: > > HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = 521 > > Is this anything I need to be worried about? And how do I go about > finding the "hidden" process? Is this a false positive that I should be > sticking something into the rkhunter.conf file to get it to ignore? Nobody should lose a moment's sleep over anything rkhunter reports. It appears to be designed to produce false positives and alarm its users. Best thing is to ignore anything it says. Purging it from the system brings total peace of mind. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/04082013175545.dcc26afa6...@desktop.copernicus.demon.co.uk
Wheezy rkhunter hidden process found
And the saga continues! :-) In this morning's reports, I found the following notation from rkhunter: > Warning: Hidden processes found: > HIDDEN Processes Found: 1sysinfo.procs = 519 ps_count = 521 Is this anything I need to be worried about? And how do I go about finding the "hidden" process? Is this a false positive that I should be sticking something into the rkhunter.conf file to get it to ignore? Thanks. --Dave smime.p7s Description: S/MIME Cryptographic Signature
