Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hidden processes

From: "Daniel B. Cid" <danielcid () yahoo com br>
Date: 31 Jul 2003 14:30:45 -0400
Its means that you have an rootkit installed and it is hidding some
process. Its doesnt mean that your ps or netstat has been trojaned...

Dbc


On Thu, 2003-07-31 at 09:18, Meritt James wrote:
As a couple of untried thoughts, is 'ps' itself corrupted?  Will you get
the reight thing with full-path specification?  And you may want to
(briefly - it is a space hog) turn on process accounting and take a look
at that.

BTW:  What does "hidden from ps" mean?

Jim

Vlady wrote:


Hi,
One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3
proccess hidden from "ps". All of my system binaries looks like beeing clean.
Using "netstat" I can see that there is not a lisenning servise other than the
services suppused to work on the machine.
I know that the best way to go further is to reinstall the machine but first I
would like to understand more of what have happend.

My question is how can I see this 3 hidden processes.

Cheers
Vlady

---------------------------------------------------------------------------
----------------------------------------------------------------------------


-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: