Re: hidden processes

[Erik Vincent <evincent () ndexsystems com>]

You can try to use the lsof command and check between your ps output.
You cant also check in your /proc filesystem.

If you have another server with the same OS version, you can try to do
an md5sum on your ps and netstat command. This will show you if those
command have been modify by the hacker.....

A nice thing to do on your unix box, is to have some command burn on
CDROM. Command like md5sum, ps, grep, ls, netstat, lsof etc....

If your system get hacker and binnaries are replace, you can use command
burn on your CDROM and your are sure to use non modify version of it.
Or use a ready only filesystem.....

This is my 0.02$ CDN cents...

On Wed, 2003-07-30 at 17:28, Vlady wrote:
> Hi,
> One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3 
> proccess hidden from "ps". All of my system binaries looks like beeing clean.
> Using "netstat" I can see that there is not a lisenning servise other than the 
> services suppused to work on the machine.  
> I know that the best way to go further is to reinstall the machine but first I 
> would like to understand more of what have happend.
>
> My question is how can I see this 3 hidden processes.
>
> Cheers
> Vlady
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------