Security Basics mailing list archives
Re: hidden processes
From: Erik Vincent <evincent () ndexsystems com>
Date: 31 Jul 2003 10:16:22 -0400
You can try to use the lsof command and check between your ps output. You cant also check in your /proc filesystem. If you have another server with the same OS version, you can try to do an md5sum on your ps and netstat command. This will show you if those command have been modify by the hacker..... A nice thing to do on your unix box, is to have some command burn on CDROM. Command like md5sum, ps, grep, ls, netstat, lsof etc.... If your system get hacker and binnaries are replace, you can use command burn on your CDROM and your are sure to use non modify version of it. Or use a ready only filesystem..... This is my 0.02$ CDN cents... On Wed, 2003-07-30 at 17:28, Vlady wrote:
Hi, One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3 proccess hidden from "ps". All of my system binaries looks like beeing clean. Using "netstat" I can see that there is not a lisenning servise other than the services suppused to work on the machine. I know that the best way to go further is to reinstall the machine but first I would like to understand more of what have happend. My question is how can I see this 3 hidden processes. Cheers Vlady --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden processes Vlady (Jul 30)
- Re: hidden processes Meritt James (Jul 31)
- Re: hidden processes Daniel B. Cid (Jul 31)
- Re: hidden processes Erik Vincent (Jul 31)
- Re: hidden processes Birl (Jul 31)
- Re: hidden processes gminick (Jul 31)
- <Possible follow-ups>
- RE: hidden processes Johnson, Kevin (Jul 31)
- Re: hidden processes Meritt James (Jul 31)