Re: Hidden Processes

From: Alex Banks (alex@alexbanks.com)
Date: 04/08/03 

From: "Alex Banks" <alex@alexbanks.com>
Date: Tue, 8 Apr 2003 10:06:57 +0100

"Kasper Dupont" <kasperd@daimi.au.dk> wrote in message
news:3E91E099.78DC3DC4@daimi.au.dk...
> Alex Banks wrote:
> It depends on how they have hidden the processes. If they have only
modified
> userspace utilities, you can just install the original version in your own
> home directory. If they have modified the kernel, it might be very
difficult.

A friend of mine pointed out that ps is not setuid (ie r-s-r-xr-x root)
which means it will only have my privileges - those files in /proc.

> Since you can still see your own processes, I believe /proc must still be
> mounted. I don't know if they modified it to hide some of the process
> subdirectories, or if they modified it to disallow access to the contents
of
> the process subdirectories. If they are hidden, you might still be able to
> access the contents if you know (or can guess) the pid.
>
> A few lines from "ls -l /proc" might reveal what has been done.

To be honest, I've given up now. As another mate pointed out, while it may
be possible to override the security, the hosting company would probably
boot me off the box for doing so. vmstat gives me some basic information for
CPU idle time, so I'll use that.

Thanks to everyone for their help.

Alex
---------------------------
http://www.alexite.com

Quantcast