As an alternative solution, unhide (the hidden-processes-scanner) could be replaced with rkhunter.rb:
http://bazaar.launchpad.net/~walles/unhide.rb/trunk/view/head:/unhide.rb https://launchpad.net/unhide.rb unhide.rb provides much better diagnostics than the original unhide and is also about 10x faster than the C original. Regards //Johan 2011/3/11 George Zarkadas <georgios.zarka...@gmail.com>: > Package: rkhunter > Version: 1.3.6-4 > Severity: wishlist > Tags: patch > > If the option to check hidden processes is enabled, rkhunter will output > 'Found HIDDEN PID ...' messages in its report. However, no other info is > provided and the report itself may be read quite later from the time the > processes were checked. Since many of these messages result from false > positives, the report usually is over-alerting and also not of much a > help; all pids must be manually checked and since this is done quite a > time after the incident, one can never be sure. > > The proposed patch inspects processes found immediately after and if the > /proc/pid directory exists (in the other case as rkhunter documentation > states it is probably a process caught while shutting down) prints a > report about it in the job's message; else reports the pid as probably > safe. > > regards > George Zarkadas > > ===============================PATCH-STARTS============== > --- debian/cron.daily > +++ debian/cron.daily.new > @@ -11,11 +11,59 @@ > NICE=0 > fi > > +# Pretty-print a header ($1) and a command output ($2). > +# Add a final newline if $3 is supplied and not an empty string > +# > +print_pid_item () > +{ > + printf "## %s :\n%s\n" "${1}" '##############' > + eval "${2}" > + if [ "X${3}" != "X" ]; then > + printf "\n" > + fi > +} > + > +# We have pid as $1 and we are in /proc/$1 (cd'ed by caller) > +# > +fullreport_hidden_pid () > +{ > + echo '################################################################' > + print_pid_item '/proc/PID' 'pwd' > + print_pid_item 'cmdline ' 'cat cmdline' 1 > + print_pid_item 'exe ' 'ls -lA exe' > + print_pid_item 'cwd ' 'ls -lA cwd' > + print_pid_item 'loginuid ' 'cat loginuid' 1 > + print_pid_item 'attr ' 'ls attr' > + print_pid_item 'fd ' 'ls -lA fd' > + print_pid_item 'environ ' 'cat environ | tr "\0" "\n"' > + print_pid_item 'status ' 'cat status' > + print_pid_item 'maps ' 'cat maps' > + print_pid_item 'ps io ' 'cat io' > + echo '################################################################' > + echo > +} > + > case "$CRON_DAILY_RUN" in > [Yy]*) > OUTFILE=`mktemp` || exit 1 > /usr/bin/nice -n $NICE $RKHUNTER --cronjob --report-warnings-only > --appendlog > $OUTFILE > if [ -s "$OUTFILE" ]; then > + > + # Seek more info for hidden pids now; later it may > + # be impossible to do so. > + > + for pid in `<$OUTFILE awk '/Found HIDDEN PID:/ {print $NF}'` > + do > + echo " Quering Hidden Pid Status, PID: ${pid}" >> $OUTFILE > + cd /proc/${pid} > + if [ "`pwd`" = "/proc/${pid}" ] > + then > + echo " HIDDEN PROCESS IS RUNNING (SECURITY ALERT):" >> > $OUTFILE > + fullreport_hidden_pid ${pid} >> $OUTFILE > + else > + echo " Appears to be a transient process (probably > should be ignored)" >> $OUTFILE > + fi > + done > ( > echo "Subject: [rkhunter] $(hostname -f) - Daily report" > echo "To: $REPORT_EMAIL" > ===============================PATCH-ENDS================ > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
