On 13/04/2008, Alex Samad <[EMAIL PROTECTED]> wrote: > > On Sun, Apr 13, 2008 at 05:31:53PM +0100, Robin wrote: > > On 13/04/2008, NN_il_Confusionario <[EMAIL PROTECTED]> wrote: > > > > > > On Sun, Apr 13, 2008 at 02:41:55PM +0100, Robin wrote: > > > > unhide proc :- Which gives intermittent hidden processes > > > > unhide sys :- [*]Searching for Hidden processes through getsid() > > > scanning > > > > Found HIDDEN PID: 16356 > > > > [*]Searching for Hidden processes through > > > sched_getscheduler() scanning > > > > Found HIDDEN PID: 17408 > > > > unhide brute :-[*]Starting scanning using brute force against PIDS > > > > Found HIDDEN PID: 2216 > > > > Found HIDDEN PID: 2503 > > > > > > > > > You could also try > > > netatst -anp|less > > > unhide-tcp > > > > > > If someone hacked the box, probably a net process was used to enter > and > > > new net processes are spanned. > > > > > > Moreover: > > > > > > apt-cache search forensic > > > > > > Linkname: Securing Debian Manual > > > URL: http://www.debian.org/doc/user-manuals#securing > > > > > > might give further ideas > > > I downloaded this and installed it, just to try (unhide) and it found > lots of hidden processes through unhide sys. > > different pids each time. so i ran this > > >/tmp/thelist; for x in $(seq 1 2000); do echo 1 >/dev/null & echo $! >> > /tmp/thelist ; done > > out of curiosity, it did not miss a pid, which makes me think unhide > raises a lot of false positives ?
I'm coming to that conclusion. Netstat showed nothing suspicious. Thanks to all -- rob http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=82BS4ZCMFR1