RE: hidden processes

["Johnson, Kevin" <Kevin.Johnson () bcbsfl com>]

Hi-

Is chkrootkit the reason you believe you box was hacked?  If so, please
check the chrootkit site at http://www.chkrootkit.org  They have a mailing
list I don't have access to right now but there was a bit of conversation
about false positives.  

Kevin Johnson


-----Original Message-----
From: Erik Vincent [mailto:evincent () ndexsystems com]
Sent: Thursday, July 31, 2003 10:16 AM
To: Vlady
Cc: security-basics () securityfocus com
Subject: Re: hidden processes


You can try to use the lsof command and check between your ps output.
You cant also check in your /proc filesystem.

If you have another server with the same OS version, you can try to do
an md5sum on your ps and netstat command. This will show you if those
command have been modify by the hacker.....

A nice thing to do on your unix box, is to have some command burn on
CDROM. Command like md5sum, ps, grep, ls, netstat, lsof etc....

If your system get hacker and binnaries are replace, you can use command
burn on your CDROM and your are sure to use non modify version of it.
Or use a ready only filesystem.....

This is my 0.02$ CDN cents...

On Wed, 2003-07-30 at 17:28, Vlady wrote:
> Hi,
> One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3 
> proccess hidden from "ps". All of my system binaries looks like beeing
clean.
> Using "netstat" I can see that there is not a lisenning servise other than
the 
> services suppused to work on the machine.  
> I know that the best way to go further is to reinstall the machine but
first I 
> would like to understand more of what have happend.
>
> My question is how can I see this 3 hidden processes.
>
> Cheers
> Vlady
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------




Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate
companies are not responsible for errors or omissions in this e-mail message.
Any personal comments made in this e-mail do not reflect the views of Blue
Cross Blue Shield of Florida, Inc.  The information contained in this document
may be confidential and intended solely for the use of the individual or
entity to whom it is addressed.  This document may contain material that is
privileged or protected from disclosure under applicable law.  If you are not
the intended recipient or the individual responsible for delivering to the
intended recipient, please (1) be advised that any use, dissemination,
forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify
sender immediately by telephone and destroy the document. THANK YOU.



---------------------------------------------------------------------------
----------------------------------------------------------------------------