Is this happening on every scan? Is it possible that it is a process that either starts or ends during the scan, so that ps sees it but by the time the /proc check occurs, it is gone or vice versa? I had not heard of unhide until this thread, but OSSEC has a similar feature, and I have seen this on my mailserver. The conclusion I came to is a routine (but short) process (such as postfix attempting to deliver mail) was firing and/or ending during the scan to cause the false positive?
I'll take a look at unhide. --b On Fri, Apr 8, 2011 at 10:15 AM, green <greenfreedo...@gmail.com> wrote: > James Brown wrote at 2011-04-07 23:43 -0500: > > On 08.04.2011 03:20, green wrote: > > > James Brown wrote at 2011-04-07 21:50 -0500: > > >> `unhide` define that there is a hidden process in my system, but don't > > >> indicate it concretely: > > > > > >> HIDDEN Processes Found: 1 > > > > > > Hmm, interesting. Same result here with sys method, buth nothing is > detected > > > using the proc and brute methods. > > > > Yes, only with sys method. Your system is 'squeeze' too? (I had no such > > result under lenny). > > Yes, Debian squeeze x64. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAk2fGG4ACgkQ682C琓ﺡᎴ쀧誥౦鬾쪌聼胕䣑벖핞 > UPYAniF3vgZC5EV2qv0nigSwBJQtD7sg > =fSlu > -----END PGP SIGNATURE----- > >
