Security Basics mailing list archives
RE: hidden processes
From: "Johnson, Kevin" <Kevin.Johnson () bcbsfl com>
Date: Thu, 31 Jul 2003 13:30:59 -0400
Hi- Is chkrootkit the reason you believe you box was hacked? If so, please check the chrootkit site at http://www.chkrootkit.org They have a mailing list I don't have access to right now but there was a bit of conversation about false positives. Kevin Johnson -----Original Message----- From: Erik Vincent [mailto:evincent () ndexsystems com] Sent: Thursday, July 31, 2003 10:16 AM To: Vlady Cc: security-basics () securityfocus com Subject: Re: hidden processes You can try to use the lsof command and check between your ps output. You cant also check in your /proc filesystem. If you have another server with the same OS version, you can try to do an md5sum on your ps and netstat command. This will show you if those command have been modify by the hacker..... A nice thing to do on your unix box, is to have some command burn on CDROM. Command like md5sum, ps, grep, ls, netstat, lsof etc.... If your system get hacker and binnaries are replace, you can use command burn on your CDROM and your are sure to use non modify version of it. Or use a ready only filesystem..... This is my 0.02$ CDN cents... On Wed, 2003-07-30 at 17:28, Vlady wrote:
Hi, One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3 proccess hidden from "ps". All of my system binaries looks like beeing
clean.
Using "netstat" I can see that there is not a lisenning servise other than
the
services suppused to work on the machine. I know that the best way to go further is to reinstall the machine but
first I
would like to understand more of what have happend. My question is how can I see this 3 hidden processes. Cheers Vlady
---------------------------------------------------------------------------
---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden processes Vlady (Jul 30)
- Re: hidden processes Meritt James (Jul 31)
- Re: hidden processes Daniel B. Cid (Jul 31)
- Re: hidden processes Erik Vincent (Jul 31)
- Re: hidden processes Birl (Jul 31)
- Re: hidden processes gminick (Jul 31)
- <Possible follow-ups>
- RE: hidden processes Johnson, Kevin (Jul 31)
- Re: hidden processes Meritt James (Jul 31)