-
I've updated unhide.rb to show the names of the found processes if possible. Here's a demo using with the same "ps" script as before, where you can see that "/bin/ps" and "head" are involved, as well as the full path to the hidden process:
johansdator:/tmp/apa# PATH=.:$PATH /home/johan/src/unhide.rb/unhide.rb
ps and sysinfo() process count mismatch:
ps: 303 processes
sysinfo(): 302...
2009-08-11 05:21:53 UTC in Rootkit Hunter
-
johanwalles changed the public information on the ExpectJ project.
2009-06-13 06:54:09 UTC in ExpectJ
-
johanwalles committed revision 63 of branch trunk to the ExpectJ Bazaar repository, changing 1 files.
2009-05-10 08:19:02 UTC in ExpectJ
-
johanwalles committed revision 63 to the ExpectJ SVN repository, changing 1 files.
2009-05-10 08:19:02 UTC in ExpectJ
-
johanwalles committed revision 799 to the Fair DJ SVN repository, changing 1 files.
2009-05-10 08:17:57 UTC in Fair DJ
-
johanwalles committed revision 798 to the Fair DJ SVN repository, changing 17 files.
2009-05-10 08:16:36 UTC in Fair DJ
-
johanwalles added the expectj-2.0-r59.jar file.
2009-05-10 07:40:28 UTC in ExpectJ
-
johanwalles created the 2.0 file release.
2009-05-10 07:28:45 UTC in ExpectJ
-
I made my own "rootkit"; a shell ps that hides the last process (see below).
Then I downloaded the latest unhide, unpacked it and built it:
http://www.security-projects.com/?Unhide:Download
http://www.security-projects.com/unhide20080519.tgz
Then I put my ps implementation in . and added it to $PATH before running unhide proc, unhide sys and unhide.rb.
unhide didn't find anything and...
2009-04-22 19:34:04 UTC in Rootkit Hunter
-
johanwalles committed revision 62 of branch trunk to the ExpectJ Bazaar repository, changing 1 files.
2009-04-15 18:10:56 UTC in ExpectJ
