[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] PS and /proc
- Subject: [cobalt-security] PS and /proc
- From: "Fragga" <fragga@xxxxxxxxxxxx>
- Date: Wed, 2 Oct 2002 08:57:14 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
hello,
just a quick question.. if someone were to trojan ps to not show their
processes ( ignoring detection by ChkRootkit for the minute as this is just
a principle matter) then would it still show in /proc or is it possible to
create hidden processes which will not show in there aswell ?
i.e if i hacked together a very dirty perl script like this which went
through proc and read each cmdline then would that be a TRUE reading of the
current processes ?
perl -e 'opendir(DIR1, "/proc"); while($file = readdir(DIR1)) { open(SOURCE,
"/proc/$file/cmdline"); while (<SOURCE>) { print $_ . "\n"; }}
closedir(DIR1);'
thanks in advance,
fragga