[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] PS and /proc

Subject: Re: [cobalt-security] PS and /proc
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Wed, 2 Oct 2002 18:16:15 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Fragga,

> just a quick question.. if someone were to trojan ps to not show their
> processes ( ignoring detection by ChkRootkit for the minute as this is just
> a principle matter) then would it still show in /proc or is it possible to
> create hidden processes which will not show in there aswell ?

Rootkit which modify the kernel (through LKMs or other methods) can even hide 
files and folders. On Linux anything is either a file or a folder somewhere 
on the disk, including /proc and anything within.

So yes, rootkits like SuckIT-1.3a (which I just happened to run into on a 
RaQ4) can be so sneaky that they are next to impossible to detect once they 
are installed, as they might also hide the processes in /proc. It depends on 
how sophisticated these rootkits are. 

See http://la-samhna.de/library/lkm.html for more information.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

References:
- [cobalt-security] PS and /proc
  - From: Fragga

Prev by Date: [cobalt-security] PS and /proc
Next by Date: Re: [cobalt-security] Secure Certificates
Previous by thread: [cobalt-security] PS and /proc
Next by thread: [cobalt-security] Perl 5.005 on raq2

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index