Process hidden from /proc - how likely a false positive?
2,669 views
Skip to first unread message
ck...@libero.it
Jun 4, 2009, 9:55:22 AM6/4/09
to ossec-list
Hi,
I have recently received the alert "Process 'XXXXX' hidden from /proc.
Possible kernel level rootkit."
I have run rootkitcheck again, rootkit hunter and chkrootkit and I
didn't get any evidence of hidden processes. We are performing a
security analisys of that box now but I am under the impression that
it was a false positive.
I thought it could have been caused by a process that exits when the
routines are doing the checking but looking at the source the code
should check this case (there is a two seconds pause, then the tests
are repeated).
The box is not running any virtualization software or anything else in
the kernel that may cause a non standard way of using processes.
What is your experience with false positives with this check? Can you
think of any way that check can report a false positive?
Thanks,
--Marco
I have recently received the alert "Process 'XXXXX' hidden from /proc.
Possible kernel level rootkit."
I have run rootkitcheck again, rootkit hunter and chkrootkit and I
didn't get any evidence of hidden processes. We are performing a
security analisys of that box now but I am under the impression that
it was a false positive.
I thought it could have been caused by a process that exits when the
routines are doing the checking but looking at the source the code
should check this case (there is a two seconds pause, then the tests
are repeated).
The box is not running any virtualization software or anything else in
the kernel that may cause a non standard way of using processes.
What is your experience with false positives with this check? Can you
think of any way that check can report a false positive?
Thanks,
--Marco
Martin West
Jun 15, 2009, 1:49:38 PM6/15/09
to ossec...@googlegroups.com
I had one of these today ...
Received From: lenovo2->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
Process '9196' hidden from /proc. Possible kernel level rootkit.
appears to an anomaly.
Would if be possible to include the results of ps -flp on the process
to see what was running.
Thanks
Martin West
skype:amartinwest
Reply all
Reply to author
Forward
0 new messages