[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] PS and /proc
- Subject: Re: [cobalt-security] PS and /proc
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 2 Oct 2002 18:16:15 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Fragga,
> just a quick question.. if someone were to trojan ps to not show their
> processes ( ignoring detection by ChkRootkit for the minute as this is just
> a principle matter) then would it still show in /proc or is it possible to
> create hidden processes which will not show in there aswell ?
Rootkit which modify the kernel (through LKMs or other methods) can even hide
files and folders. On Linux anything is either a file or a folder somewhere
on the disk, including /proc and anything within.
So yes, rootkits like SuckIT-1.3a (which I just happened to run into on a
RaQ4) can be so sneaky that they are next to impossible to detect once they
are installed, as they might also hide the processes in /proc. It depends on
how sophisticated these rootkits are.
See http://la-samhna.de/library/lkm.html for more information.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer