hidden process

[Dmitriy Tarasov]

I have gotten following information from chkrootkit:

You have 4 process hidden for readdir command
You have 4 process hidden for ps command

Is it possible to view these processes?
Does “Red Hat Enterprise Linux ES release 4” create hidden processes?

 

[hostpc.com]

Nope, cent doesn't create them, but rootkits do - you're gonna want to install rootkithunter to see if you've been exploited

 

[Dmitriy Tarasov]

Rkhunter says that:

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

It is strange that it says also that root login possible in spite of the fact that I commented in the /etc/ssh/sshd_config the line
#AllowUsers root
And left uncommented
AllowUsers admin

Nevertheless how can I view hidden processes? I do not know their pids to kill them

 

[hostpc.com]

http://csl.sublevel3.org/listps/

wget http://csl.sublevel3.org/listps/listps-src.tar.gz
tar xfvz listps-src.tar.gz
mkdir /usr/man
mkdir /usr/man/man1
make listps install

when it's done, run:

./listps -d

it'll show the hidden processes

---

Usage: listps [OPTION(s)]

Lists all running processes, including hidden ones.

This is done by explicitly trying to open /proc/pid/cmdline for all processes
in the range /proc/1/cmdline to /proc/33000/cmdline.

Swapped out processes are written in paranthesis.

This utility works very well with some rootkits, like e.g.
Suckit 1.3e, which inserts a linux kernel module to perform process hiding.

Options:
-h Print help
-v Print version
-d Print ONLY hidden processes

 

[Dmitriy Tarasov]

Thank you. I do not know what think about it. Chkproc says that there is hidden processes but
listpc –d
shows nothing

 

[nobaloney]

chkrootkit is often too aggressive when reporting hidden processes. Try running it when the server is quite quiet.

Jeff