Security :: Checking What Processes Are Hidden?
Jan 13, 2010
I post this to have a memo about how I looked into this problem. You can use this command to check what is hidden.
Code:
/usr/lib/chkrootkit/chkproc -v -p 3 | grep /proc/ | sed 's/.*(/proc/[0-9]*).*/1/'| xargs -n1 -I %%% cat %%%/cmdline
If it doesn't output anything, then nothing is hidden currently. This usually means that a process was started between the ps command and the /proc check of chkrootkit. You can check what those command(s) are by running the above in a loop, with high priority.
[Code]...
Does anyone know how to get rid of these false positives while retaining other functionality of chkrootkit?
View 1 Replies
ADVERTISEMENT
Jul 18, 2011
This morning I ran unhide on my Squeeze x86 netbook. The brute force process detection came up with ahidden process. Repeated runs of unhide with the system in various states continued to show the process,but with a different PID each time.(Or maybe it was spawning new processes and killing itself every second or so. A newer version of unhide,which I compile from source, did describe the process as "maybe transient" or omesuch. Anyway, I've unhide on Squeeze before, and I know that detection of any hidden process is absolutely not normal.)Also, rkhunter found some hidden directories. Of particular note, I think, is /etc/.java, which contains evenmore hidden stuff. It *might* be system-wide preferences for the JVM, but somehow I doubt it.
So, I have two questions...1. Do I really have a rootkit or trojan infection? It looks like it, but I want confirmation that I'm not chasingphantoms. (Or that I am, whichever.)2. If so, how can I prevent a recurrence? FWIW I was running without iptables or any other firewall, but I madesure all my ports were closed; and I did most of my browsing through Chromium, which should have pretty
View 7 Replies
View Related
May 10, 2010
I did some unfortunate dragging I think and now most of my windows which were open before are not there anymore. When I go to processes, I can see that they are still there. E.g. I had a terminal window open and now the window is gone but I can still see a bash process in the list
View 8 Replies
View Related
Sep 10, 2010
While executing df command on an AIX Console, by mistake I ended the line with an ampersand:
[Code]...
View 5 Replies
View Related
Jan 22, 2010
I installed TrueCrype 6.3a on my 8.1 Ubuntu. Everything went fine until I got to the part where I need to protect my hidden volume from damaged caused by writing to the outer volume (these instructions: [url] ). I can't find the checkbox to "Protect hidden volume from damaged caused by writing to outer volume". The closest thing I can find is an option to "Protect hidden volume when mounting outer volume". Intuitively these don't sound the same to me. There are 2 difference between my setup and the instructions; 1) the instructions appear to be written for Windows and not Linux. 2) I am using a file volume and not a partition volume.
Does anyone know where the option is to protect the hidden volume when writing to the outer volume?
View 2 Replies
View Related
Jan 27, 2010
What, if any, significance is there to the following message shown in the rkhunter.log?
Code:
[21:11:58] Checking for hidden files and directories [ Warning ]
[21:11:58] Warning: Hidden directory found: /etc/.java
[21:11:58] Warning: Hidden directory found: /dev/.udev
[21:11:58] Warning: Hidden directory found: /dev/.initramfs
What need would there be for hidden directories to exist in /?
View 3 Replies
View Related
Nov 21, 2010
TrueCrypt hidden volume plausible deniability is documented at [URl]deniability but how plausible is it? there is no sign of the hidden volume's existence within the outer volume even if the user is forced to disclose the outer volume password. For this to be plausible the outer volume must be used or the user has no plausible reason for having it.
Quote:
If you mount a TrueCrypt volume within which there is a hidden volume, you may read data stored on the (outer) volume without any risk. However, if you (or the operating system) need to save data to the outer volume, there is a risk that the hidden volume will get damaged (overwritten). To prevent this, you should protect the hidden volume in a way described in this section.
The way described results in the outer volume properties including 'Hidden volume protected: Yes' which discloses the hidden volume's existence. The next section in the documentation has a diagram showing how the hidden volume is created at the top end of the outer volume space. Use of the outer volume must not write in the hidden volume space or the hidden volume will be corrupted. That limits the choice of outer volume file system to one of the FAT series because more sophisticated file systems do write in places across their whole space.How plausible is the choice of a FAT file system on Linux? Even on a dual boot system with the usual Windows versions NTFS is a better choice.
View 7 Replies
View Related
Jul 12, 2009
I'm not necessarily gonna do this, but I have to know. Is there a way to make the system not complain about every single freaking password you try to use? Make it so that any regular user could make "hello" their password without complaint? Like I said, I won't necessarily do it, but I have to know if it can be done.I did some searching and found the su -c "passwd username" trick, which is working for right now (I have root access but a user account I made for a friend doesn't)... it's just irritating when it won't even let him use something like "snuh123" because it seems to think it's based on a (reversed) dictionary word. Any use of a dictionary word, even with other chars, fails
View 6 Replies
View Related
Feb 9, 2010
How to do an easy file integrity checking on fedora 11 ? just to make sure that the necessary core os files are not corrupted using rpm and yum.
View 2 Replies
View Related
Jun 22, 2011
The problem is that yum is refusing to install gcc on a new SL6 install. As far as I can make out, a security update that I applied prior to my attempt to install gcc has caused problems. I did a new SL6 install (x86_86) a couple of weeks ago. This was a minimal installation, and I didn't install any dev tools, as I intended to install them later from yum. Since then, I've done very little; I installed a few packages (samba, xemacs, etc), and I let the system update itself. The update installed 'kernel', and updated 'kernel-firmware' [URL]. I now need to install the dev tools (g++, and so on), but I can't. I've tried this from gpk-application, and directly from yum. The complete yum output is below, but the basic error is:
> Error: Package: glibc-2.12-1.7.el6.i686 (sl)
> Requires: glibc-common = 2.12-1.7.el6
> Installed: glibc-common-2.12-1.7.el6_0.5.x86_64 (@sl-security)
[code]....
View 4 Replies
View Related
Jul 21, 2011
I'm interested in GNU/Tiger as recommended by a security guru I know. I did apt-cache search and located the package tiger:Code:tiger - Report system security vulnerabilitiesI also checked the ubuntu web-based package search and found tiger there too along with things like this signed message.Using apt-cache policy, I see this package is universe. I'd like to check the signature/cert/keys of this file before running apt-get install on it to see if it is acceptable given my current apt keys. Can someone explain how to do this?Also, what happens when I try to install a package using "apt-get install" and that package or one of its dependencies is:* unsigned* signed, but not by anyone whose key resides in my apt keyring?
View 3 Replies
View Related
Oct 9, 2010
What's the best way to handle checking for a similar password?
IE. What would a possible algorithm be to generate the error "this password is too similar to one of your previous passwords"
I thought about adding the ascii value of each letter and then adding them and looking for at least a difference of X.
What methods have yall seen used for this?
View 14 Replies
View Related
May 23, 2010
restrict a user from seeing hidden files and folders?
View 8 Replies
View Related
Oct 24, 2010
I'm sure most of you know that making a file or folder hidden is simple in the Linux world: Add a period (.) before the name. However, if you were to save such a file or directory to a flash drive, it would only be hidden on Linux systems. If you plug the flash drive into a Windows machine, Windows will happily show the file.Is there a way to make cross-platform hidden files?
View 4 Replies
View Related
Aug 11, 2011
My 2Wire router/modem I got from AT&T for my DSL has port 3479 TCP open and I can't figure out how to close it. It's open to the entire internet. From a quick google search it's some port AT&T can use to update the modem's firmware or something.Consider how in bed AT&T is with government agencies it seems like a easy way for the government to get into my home network just by using what seems to me a backdoor put there by AT&T. Anyway to close this or secure it. Right now I'm using the hardware as my main router for my home network. I have Linsys I modded with DD-WRT. I'm thinking of re-configuring my network to use the DD-WRT router as the main router and the 2wire just as a modem. The 2wire is a hybrid modem/router and I'm kind of lazy and don't feel like re-configuring my entire network if I can just close the port.
View 9 Replies
View Related
May 7, 2011
To: The Cog >>>
Code:
The Cog, heres the reszults for ps -ef | grep tty:
yo mama@blah:~$ ps -ef | grep tty
[code]....
View 9 Replies
View Related
Jun 22, 2009
Is there an easy way to log the names of the actual processes that initiate, let's say, outbound connections from the Linux machine, for instance track what process initiates an outbound connection to MySQL port to remote machine and stuff like that?
View 3 Replies
View Related
Jun 16, 2010
As I am a paranoid bastard, I made a bash screencap-script for my Ubuntu-computer, so I can check if anyone uses my computer for things I don't want them to do (eg. checking if anyone is viewing passwords stored in FireFox, looking at private files, or other things I find disturbing). There might be other people than me that is paranoid and want to monitor what's going on on their computers while they are away or letting someone else use their computer when going to the bathroom.
This is a small script, I'd like to hear if there is any improvements that can be done, so I can learn more and become better at such scripting.
The script requires Imagick (sudo apt-get install imagemagick) and a folder in the ~-directory (/home/username) called ".screen" (hidden, as this makes it more difficult to "intruders" to find it and it looks more like a system-folder than a monitoring-folder).
The script:
Code:
#!/bin/bash
i=1;
j=`date`;
user=`whoami`;
[Code]....
Add this script to /usr/local/bin and then go to keyboard-shortcuts in GNOME and add a shortcut-key-combination of your own choice for the script. Call it whatever you'd like, and the command you want to run is simply "screen". To add a shortcut for stopping the script, you add another shortcut-key-combination to the command "killall screen".
This enables you to monitor activity on your computer while you're away, saving png-screenshots of your desktop every three seconds in the folder /home/username/.screen/date.
NOTE: I'm not taking any responsibility for what you do with this script. Remember that monitoring someone's activities is never the right way to handle anything. Also, it's illegal many places. Take care and use it only for educational and testing purposes.
View 5 Replies
View Related
Oct 21, 2010
I could not find any where the documentation the only best which I got was [URL]
My question is the following blog says to remove an IP from /etc/hosts.deny which denyhost has blocked
[URL] you need to have a directory /usr/share/denyhosts/data I do not find any such directory
Also when I tried to check tcp wrapper configuration as given here
[URL]
tcpdchk -v Cannot find your inetd.conf or tlid.conf file. Please specify its location.
what does the above output mean? How do I make sure denyhosts is doing its job?
View 2 Replies
View Related
Sep 2, 2010
I was wondering if anyone might know of good reference material, books websites etc., that discuss network security issues in layman terms. I would like to set up a dedicated Linux box as a firewall and would like to have a deeper understanding of the different types of configurations that are possible. I run a dual boot system and most of the firewalls I have used on the Windows side are very confusing to me. A lot of the time they give you a pop up that informs you that some cryptically named program is trying to access the network or the internet and wants to know if I want it to or not, 99% of the time I have not idea if it is a legitimate program or not. I realize that this is probably a separate issue (knowing how to identify programs and processes that should have access from those that should not) from setting up a firewall and basic network security but I know that they are related.
View 3 Replies
View Related
Aug 13, 2010
That would seem like an elementary feature to be able to enable only a few system applications access to the Internet. That would prevent trojans to download your HD for examples. I looked around and played with iptables but I couldn't not find anything that do the job. I loaded the xt_owner kernel for iptables but the --cmd-owner command is lacking. That was my holy grail but could not get --cmd-owner to work. iptables -I OUTPUT -m owner --cmd-owner "firefox" -j LOG --log-prefix "Testing " How can I protect my machine against the enemy within.
OpenSuse 11.2
Kernel: 2.6.31.12-0.2-desktop
View 1 Replies
View Related
Dec 30, 2010
I've a Linux box with few users (with shell). I would like to prevent normal users see all the processes running on the box. How can I implement this?
View 1 Replies
View Related
Jan 27, 2011
i'm wondering if it's possible to restore the original image file that you have hidden data in with steghide. The basic Idea is you have a photo using gpg sign it and then embed the signature. then remove the signature at a later time and check it with the signature. I hope another "inverse" algorithm doesn't need to be written to undo the first (if a "inverse algorithm is possible). This assume you already have the pass phrase or that there is no pass phrase. I already know how to retrieve the original file just want to remove the hidden data from the Image and restore it's attributes.
View 2 Replies
View Related
Mar 24, 2010
this is scary, bunch of vmware-user-wra processes stall cpu 100%!! What's going on? Server has just been restarted! Bere I restarted, the root started all this vmware-user-wra!! I was configuring vncserver! After restart, it's started by user roo300 which I have used to login via SecureShell!
Code:
top - 20:20:29 up 4 min, 85 users, load average: 76.57, 35.14, 13.60
Tasks: 629 total, 90 running, 539 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.5%us, 98.5%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 3873304k total, 369500k used, 3503804k free, 50492k buffers
[code]....
View 2 Replies
View Related
Mar 3, 2011
my computer is often very slow, to the point of stalling. I tty'd in and when I ran ps -ef I noticed about 10 /usr/sbin/apache2 -k start I dont even want 1 apache running. Any suggestions why these are running, or how to stop it? Well, I can stop it with a sudo killall, but how can I make sure it doesnt happen again?
View 5 Replies
View Related
Feb 16, 2010
is it possible some badware file were hidden and couldn't be observed in folders or removeable devices..?and how could we hidden file (like windows)..?
View 4 Replies
View Related
Mar 31, 2010
Since August of 2009 I have been under attack by corporate Black Hats. I found a 105GB FAT16 Hidden partition on my hard drive. Seventy four percent full (78GB). What led me to this was the fact that I couldn't help but notice that my Internet connection was a revolving door that never stopped spinning. So I went looking for why.
I removed the hidden flag, and patched the partition, but couldn't open that thing no matter what I did. I tried for a month. The attacks started as soon as I stopped these guys from accessing that data. At this point we are 9 months into 24/7 attacks. I have interviewed with the FBI, and local law enforcement, but they are intent on making me out to be a conspiracy nut. I am not at all. All they wanted to do is quiz me on my computer skills. If I managed to draw the attention of a corporate security group they killed it.
I am a US Navy trained Electronics Technician. 58 years old with ECM experience. I have been doing both bench, and field service on all manner of electronics for 40 years. My last job was supporting field engineers, and technicians for Samsung Electronics of America. The attacks have spread to my mother, and best friend. My phones are bugged internally at the phone company, and my modem has had its firmware altered to call them. They run around inside my ISP like they own the place.
[Code]....
View 6 Replies
View Related
May 6, 2010
just a general weirdness, but some folders that are in my /home folder don't show up. if i check "show hidden folders", they still don't show up. for all terms and purposes, they are simply not there. however, if i search for them through the search tool, or beagle, they show up as being in my /home folder. so, anyone have any idea how this happened, or how i can remedy this?
View 9 Replies
View Related
Feb 26, 2011
Last time,I changed the icon for the ding-dictionary,it used the gear-wheel symbol before. The I saw,that the hidden directories also used the new icon,and now they are all gone Did install the old 256.53-NVIDIA-driver last night,but that should not be the reason ?
View 4 Replies
View Related
May 10, 2010
Sometimes at startup I get this message "Checking disk 1 of 1". Does that mean it's checking all partitions on the hd? After a bad shutdown there is no prompt for fsck to run and the system just boots up. In fstab I have both options set to "1" for the partition Ubuntu is on, all others set to "0". Any ideas on both?
View 3 Replies
View Related
