#18 Please use unhide.rb rather than unhide

main
closed-fixed
unSpawn
Rkhunter (37)
5
2010-10-12
2009-04-13
No

Hi!

You're calling unhide from rkhunter. Running unhide takes about 70s on my system.

I've made a Ruby port of unhide. It runs in about 7s on my system. So in one tenth of the time it performs the same checks as "unhide-linux26 proc" and "unhide-linux26 sys".

Would you be interested in calling unhide.rb rather than unhide from rkhunter?

Currently unhide.rb exits with code 2 if it finds something, and all output is printed to stdout, so it should be easy to interact with.

Code is here (one file only):
http://bazaar.launchpad.net/~walles/unhide.rb/trunk/annotate/head%3A/unhide.rb

Bugs etc can be reported here:
https://launchpad.net/unhide.rb

Discussion

  • unSpawn

    unSpawn - 2009-04-17
    • milestone: --> main
    • assigned_to: nobody --> unspawn
     
  • unSpawn

    unSpawn - 2009-04-17

    RKH uses 'unhide' kind of "plugin" like. So there's always room for improvement or diversity. If you would be able to attach actual test results of running unhide and unhide.rb against loaded LKM's I would appreciate it.

    regards, unSpawn

     
  • Johan Walles

    Johan Walles - 2009-04-22

    I made my own "rootkit"; a shell ps that hides the last process (see below).

    Then I downloaded the latest unhide, unpacked it and built it:
    http://www.security-projects.com/?Unhide:Download
    http://www.security-projects.com/unhide20080519.tgz

    Then I put my ps implementation in . and added it to $PATH before running unhide proc, unhide sys and unhide.rb.

    unhide didn't find anything and crashed half way through its sys scan. unhide.rb detected both the call to the real ps from my shell script, and the "head" process.

    Finally I just put "false" in the shell script to verify that it really got called from unhide, and unhide started outputting a ton of found hidden processes (not included below though).

    Here's the full output of my tests:
    johan@foo:/tmp/hej/unhide-20080519$ cat ps
    #! /bin/bash

    # Call ps, but hide the last line of output
    /bin/ps "$@" | head -n-1
    johan@foo:/tmp/hej/unhide-20080519$ ls -l ps
    -rwxr-xr-x 1 johan johan 83 22 apr 21.25 ps
    johan@foo:/tmp/hej/unhide-20080519$ PATH=.:$PATH ./unhide-linux26 proc
    Unhide 20080519
    yjesus@security-projects.com

    [*]Searching for Hidden processes through /proc scanning

    johan@foo:/tmp/hej/unhide-20080519$ PATH=.:$PATH ./unhide-linux26 sys
    Unhide 20080519
    yjesus@security-projects.com

    [*]Searching for Hidden processes through getpriority() scanning

    [*]Searching for Hidden processes through getpgid() scanning

    [*]Searching for Hidden processes through getsid() scanning

    [*]Searching for Hidden processes through sched_getaffinity() scanning

    [*]Searching for Hidden processes through sched_getparam() scanning

    [*]Searching for Hidden processes through sched_getscheduler() scanning

    Segmenteringsfel
    johan@foo:/tmp/hej/unhide-20080519$ PATH=.:$PATH /home/johan/src/unhide.rb/unhide.rb
    Scanning for hidden processes...
    Suspicious PID 21336:
    Seen by ps
    Not seen by /proc
    Not seen by /proc tasks
    Not seen by getsid()
    Not seen by getpgid()
    Not seen by getpriority()
    Not seen by sched_getparam()
    Not seen by sched_getaffinity()
    Not seen by sched_getscheduler()
    Not seen by sched_rr_get_interval()
    Suspicious PID 30460:
    Not seen by ps
    Seen by /proc
    Seen by /proc tasks
    Seen by getsid()
    Seen by getpgid()
    Seen by getpriority()
    Seen by sched_getparam()
    Seen by sched_getaffinity()
    Seen by sched_getscheduler()
    Seen by sched_rr_get_interval()

     
  • Johan Walles

    Johan Walles - 2009-08-11

    I've updated unhide.rb to show the names of the found processes if possible. Here's a demo using with the same "ps" script as before, where you can see that "/bin/ps" and "head" are involved, as well as the full path to the hidden process:
    johansdator:/tmp/apa# PATH=.:$PATH /home/johan/src/unhide.rb/unhide.rb
    ps and sysinfo() process count mismatch:
    ps: 303 processes
    sysinfo(): 302 processes
    Scanning for hidden processes...
    Suspicious PID 2264:
    Seen by ps ("/bin/ps")
    Not seen by getsid()
    Not seen by getpgid()
    Not seen by getpriority()
    Not seen by sched_getparam()
    Not seen by sched_getaffinity()
    Not seen by sched_getscheduler()
    Not seen by sched_rr_get_interval()
    Suspicious PID 2265:
    Seen by ps ("head")
    Not seen by getsid()
    Not seen by getpgid()
    Not seen by getpriority()
    Not seen by sched_getparam()
    Not seen by sched_getaffinity()
    Not seen by sched_getscheduler()
    Not seen by sched_rr_get_interval()
    Suspicious PID 31961:
    Not seen by ps
    Seen by /proc ("/usr/lib/postfix/pickup")
    Seen by /proc tasks ("/usr/lib/postfix/pickup")
    Seen by getsid()
    Seen by getpgid()
    Seen by getpriority()
    Seen by sched_getparam()
    Seen by sched_getaffinity()
    Seen by sched_getscheduler()
    Seen by sched_rr_get_interval()
    johansdator:/tmp/apa#

    Running as root to be able to follow /proc/1234/exe symlinks for arbitrary processes.

     
  • John Horne

    John Horne - 2010-09-14

    On my Fedora 13 system all the PIDS are reported as suspicious. It seems the sched_getaffinity call is failing completely.

     
  • Johan Walles

    Johan Walles - 2010-09-15

    Hi John!

    Can you try changing this line...
    scratch = "\0" * 500
    ... into...
    scratch = "\0" * 65536
    ... and see if that helps?

    I haven't been able to repro on either Ubuntu 10.04 or Oracle Enterprize Linux 5.4 (very similar to RHEL5.4), and I don't have access to an FC13 system, so I'll need some help to track your problem down.

    Regards /J

     
  • John Horne

    John Horne - 2010-09-16

    Having made the change the program now seems to work. When I run it I get:

    # unhide.rb
    Scanning for hidden processes...
    No hidden processes found!

    Admittedly I haven't tested it by deliberately hiding a process yet.

     
  • John Horne

    John Horne - 2010-10-08

    Apologies for the delay - I am still not getting notified by SF when a change is made to tracker!

    I have tested the new version of unhide.rb and it works fine on Fedora 13.

     
  • John Horne

    John Horne - 2010-10-08

    Support for unhide.rb is now in the CVS version of rkhunter,

    The 'hidden_procs' test will run the 'unhide' command if it finds it (the same as before). It will then run the 'unhide.rb' command if it finds it. The user can disable running either command by using the DISABLE_UNHIDE configuration command. This is in case either command gives too many FP's for the user, or simply because they want to run one version and not the other. Details are in the config file.

    I have also included a reference to the unhide.rb web site in the README file.

     
  • John Horne

    John Horne - 2010-10-12
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks