You are not logged in.

#1 2022-06-17 23:05:58

afader
Member
Registered: 2013-09-12
Posts: 138

how do I find out what process is transitory in unhide procall?

How can I log or otherwise identify what this process is?

Found HIDDEN PID: 716687
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 724877
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Offline

#2 2022-06-18 00:35:30

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 26,877
Website

Re: how do I find out what process is transitory in unhide procall?

What is that output from?

You could find it under /proc and see if it is a child of another process.  But why do you care?  What's the real goal here?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2022-06-18 01:09:54

afader
Member
Registered: 2013-09-12
Posts: 138

Re: how do I find out what process is transitory in unhide procall?

Occasionally I run a bunch of random security stuff to audit my system for malware and rootkits, and when I run unhide procall, occasionally I see that message. But by the time I look for the process, it's gone. Is there some way to catch it?

Offline

#4 2022-06-18 01:14:06

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 26,877
Website

Re: how do I find out what process is transitory in unhide procall?

Ah, you are running "unhide procoll" from [community]/unhide.

How long after your run that are you looking for the process?  If the process is gone, why then do you care?  It's gone.  Even if it's still there, again, why would you care?  This is not even remotely out of the ordinary.  This is certainly not an indicator of malware or a rootkit.

EDIT: perhaps I should step out of this thread.  I misunderstood the initial post as I didn't realize you were referring to a particular software tool "unhide".  Having checked out that tool, I've found the whole idea to be based on an absurd logical fallacy and I'd not trust it's output as far as I could throw it.  So I'd not bother interpreting any of it's output.  I might be able to give ideas on how to script a run of "unhide" and capture the pids and immediately gather more info about those PIDs, but 1) this would serve no purpose as - again - the whole this is based on bad thinking and 2) the original tool should be able to give this information itself.

Last edited by Trilby (2022-06-18 01:24:47)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

Board footer

Powered by FluxBB