rkhunter debian

Report on hidden processes

If the processes are truly hidden, then yes it's probably something you should worry about. But it's possible that you've got a false positive situation.

When rkhunter tells you that there are hidden processes, try to cd to the /proc/<pid> directory for the process (where <pid> is one of the process ID numbers output by rkhunter). If you can't cd into the directory, then the process isn't really hidden, it was just in the middle of exiting when the rkhunter check ran and rkhunter was confused and you probably have nothing to worry about.

If you do manage to cd into the /proc/<pid> directory, then it's likely you have a problem. Interesting things to do once you're in the /proc/<pid> directory include:

  1. “cat cmdline” should give you the name the process is running under
  2. “sudo cat environ | perl -pe 's/\000/\n/g'” gets you the environment variable settings for the process
  3. “sudo ls -l fd” shows you what files the process currently has open
  4. “sudo ls -l cwd” shows you the current working directory of the process (which could be interesting if the process was started by the attacker from their rootkit installation directory)

There's plenty of other cool stuff you can do with the various bits of information under /proc, but the above should be enough to help you figure out what the process(es) are doing and how much trouble you're in.


  • blog/rkhunter_debian.txt
  • Last modified: 2011/11/10 08:09
  • by brb