You are not logged in.

#1 2022-06-17 23:05:58

afader
Member
Registered: 2013-09-12
Posts: 144

how do I find out what process is transitory in unhide procall?

How can I log or otherwise identify what this process is?

Found HIDDEN PID: 716687
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 724877
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Offline

#2 2022-06-18 00:35:30

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: how do I find out what process is transitory in unhide procall?

What is that output from?

You could find it under /proc and see if it is a child of another process.  But why do you care?  What's the real goal here?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2022-06-18 01:09:54

afader
Member
Registered: 2013-09-12
Posts: 144

Re: how do I find out what process is transitory in unhide procall?

Occasionally I run a bunch of random security stuff to audit my system for malware and rootkits, and when I run unhide procall, occasionally I see that message. But by the time I look for the process, it's gone. Is there some way to catch it?

Offline

#4 2022-06-18 01:14:06

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: how do I find out what process is transitory in unhide procall?

Ah, you are running "unhide procoll" from [community]/unhide.

How long after your run that are you looking for the process?  If the process is gone, why then do you care?  It's gone.  Even if it's still there, again, why would you care?  This is not even remotely out of the ordinary.  This is certainly not an indicator of malware or a rootkit.

EDIT: perhaps I should step out of this thread.  I misunderstood the initial post as I didn't realize you were referring to a particular software tool "unhide".  Having checked out that tool, I've found the whole idea to be based on an absurd logical fallacy and I'd not trust it's output as far as I could throw it.  So I'd not bother interpreting any of it's output.  I might be able to give ideas on how to script a run of "unhide" and capture the pids and immediately gather more info about those PIDs, but 1) this would serve no purpose as - again - the whole this is based on bad thinking and 2) the original tool should be able to give this information itself.

Last edited by Trilby (2022-06-18 01:24:47)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2022-07-15 23:32:44

afader
Member
Registered: 2013-09-12
Posts: 144

Re: how do I find out what process is transitory in unhide procall?

I'm open to learn more about this or to understand more why I should disregard this. result, which looks like the following, when I go to check for those processes they are gone.

> sudo unhide procall
Unhide 20210124
Copyright © 2010-2021 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6 

Used options: 
[*]Searching for Hidden processes through /proc stat scanning

[*]Searching for Hidden processes through /proc chdir scanning

[*]Searching for Hidden processes through /proc opendir scanning

[*]Searching for Hidden thread through /proc/pid/task readdir scanning

Found HIDDEN PID: 531959
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 535576
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 534670
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Is there a better tool to look for hidden processes or another suggestion on how to be vigilant for rootkits and malware? I'm using the hardened kernel, lkrg, lynis, tiger, clamav/clamscan/freshclam, opensnitchd, maldet, I've gone through the suggestions on the wiki for hardening tcp/ip and other various sysctl options, hardened tmp mount options, my regular user isn't in wheel and my root has no shell (although pkexec seems to be able to bypass this), apparmor, systemd service hardening for my servers, and firejail. I use the machine as a file server and bittorent client. I want to be pretty paranoid that's why I'm checking this stuff.

Last edited by afader (2022-07-15 23:34:58)

Offline

#6 2022-07-16 00:38:04

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: how do I find out what process is transitory in unhide procall?

I don't know of methods to look for malware - rather common sense prevention such as knowing / understanding the software you use and where it came from, not clicking fishy links, not responding to nigerian bankers (and not using an email client that automatically and fully renders HTML), etc.

As for looking for "hidden" processes, I actually don't have reason to doubt that the software you are using is not well suited to that task.  The problem is that task - of listing "hidden" processes - has absolutely no bearing on security ... at all.  That is not even remotely a meaningful way of looking for rootkits / malware / etc.  I believe you are barking up the wrong tree with even pursuing the goal of finding information about hidden processes - and that's why I figured I might be best leaving this discussion to others.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2022-07-16 07:45:29

seth
Member
Registered: 2012-09-03
Posts: 30,882

Re: how do I find out what process is transitory in unhide procall?

Fyi, those are most likely kernel threads and there was suggestion to even prevent userspace processes to have an empty cmdline at all, https://lkml.org/lkml/2018/5/16/1084 (not idea whether that made it w/ the clean-ups)
A "rootkit" approach would seek to undermine the kernel, manipulate the procfs and *completely* hide the PID (at least)

Offline

#8 2022-07-16 15:32:34

afader
Member
Registered: 2013-09-12
Posts: 144

Re: how do I find out what process is transitory in unhide procall?

@Trilby thanks. I mean that's fair but there are other ways to get malware than fishy HTML emails, links and Nigerians bankers. For example there has been malware in the aur, https://www.bleepingcomputer.com/news/s … epository/ There are also exploits like hidden unicode inside of innocuous looking code etc. What I'm mostly worried about is if there might be some kind of undisclosed or 0day vulnerability e.g. for years various critical system software like openssl had undisclosed or unknown issues. As mentioned I run servers which connect to torrents etc and it seems entirely possible that there are unpatched issues in nginx or transmission that would allow people to attack my system.

@Seth thanks. I see lots of kworkers and other kernel stuff in ps and htop but then the PIDs don't match the ones that unhide shows.

Offline

#9 2022-07-16 15:36:22

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: how do I find out what process is transitory in unhide procall?

afader wrote:

@Trilby thanks. I mean that's fair but there are other ways to get malware than fishy HTML emails, links and Nigerians bankers.

Which is why those were just the last of several points I mentioned.

afader wrote:

For example there has been malware in the aur... There are also exploits like hidden unicode inside of innocuous looking code etc.

Yup, and these both fall in the the first point I mentioned - so they're not really exceptions.

afader wrote:

What I'm mostly worried about is if there might be some kind of undisclosed or 0day vulnerability e.g. for years various critical system software like openssl...

And none of your examples related in any way to processes in the proc tree with empty names / command lines (aka "hidden" processes).


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#10 2022-07-16 15:49:29

seth
Member
Registered: 2012-09-03
Posts: 30,882

Re: how do I find out what process is transitory in unhide procall?

h/top will poll the process tree and at what? 0.2/s? And unhide runs once?
Those kernel jobs can be very short lived.
Also top *will* interpret processes w/ empty cmdline as kthread, does unhide not list a single "hidden" PID that matches a kthread entry in top?
(Some jobs should run for a very long time)

Offline

#11 2022-07-16 19:35:49

afader
Member
Registered: 2013-09-12
Posts: 144

Re: how do I find out what process is transitory in unhide procall?

So I see

> ps aux | grep kthread
root           2  0.0  0.0      0     0 ?        S    Jul15   0:00 [kthreadd]
root          12  0.0  0.0      0     0 ?        I    Jul15   0:00 [rcu_tasks_kthread]
root          13  0.0  0.0      0     0 ?        I    Jul15   0:00 [rcu_tasks_rude_kthread]
root          14  0.0  0.0      0     0 ?        I    Jul15   0:00 [rcu_tasks_trace_kthread]
root         330  0.0  0.0      0     0 ?        S    Jul15   0:42 [nvidia-modeset/kthread_q]
root         331  0.0  0.0      0     0 ?        S    Jul15   0:00 [nvidia-modeset/deferred_close_kthread_q]

But when I do see the processes in unhide they have much bigger pids and they do not match

Offline

#12 2022-07-16 19:55:33

seth
Member
Registered: 2012-09-03
Posts: 30,882

Re: how do I find out what process is transitory in unhide procall?

If unhide lists lots and lots of PIDs, grep for the PIDs you know are there.
You already know that the PIDs unhide "finds" are then not listed by "ps aux" (I'd not be surprised if unhide triggers those threads itself…) so that direction won't yield any results.

Offline

#13 2022-07-16 20:04:00

afader
Member
Registered: 2013-09-12
Posts: 144

Re: how do I find out what process is transitory in unhide procall?

No unhide usually doesn't return anything. And there are several different ways that unhide can check for processes, but the only one that seems to return anything is "procall." Sometimes I do see 2-3 processes show up for that. they have PIDs. but then by the time I go to look for that PID in ps or (h)top or anything else, I don't see them

Here's one

> sudo unhide procall
Unhide 20210124
Copyright © 2010-2021 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6 

Used options: 
[*]Searching for Hidden processes through /proc stat scanning

[*]Searching for Hidden processes through /proc chdir scanning

[*]Searching for Hidden processes through /proc opendir scanning

[*]Searching for Hidden thread through /proc/pid/task readdir scanning

Found HIDDEN PID: 1106816
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 1107308
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 1107309
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 1107401
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

Found HIDDEN PID: 1107509
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"
❯ ps aux | grep kworker
root           7  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/0:0H-events_highpri]
root           9  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/0:1H-events_highpri]
root          27  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/1:0H-kblockd]
root          33  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/2:0H-events_highpri]
root          39  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/3:0H-events_highpri]
root          45  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/4:0H-events_highpri]
root          51  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/5:0H-events_highpri]
root          57  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/6:0H-events_highpri]
root          63  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/7:0H-events_highpri]
root          69  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/8:0H-events_highpri]
root          75  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/9:0H-events_highpri]
root          81  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/10:0H-events_highpri]
root          88  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/11:0H-events_highpri]
root          94  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/12:0H-kblockd]
root         100  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/13:0H-events_highpri]
root         106  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/14:0H-events_highpri]
root         112  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/15:0H-kblockd]
root         118  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/16:0H-events_highpri]
root         124  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/17:0H-events_highpri]
root         130  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/18:0H-events_highpri]
root         136  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/19:0H-events_highpri]
root         158  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/2:1H-events_highpri]
root         218  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/u41:0-hci0]
root         257  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/8:1H-events_highpri]
root         260  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/7:1H-kblockd]
root         261  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/15:1H-events_highpri]
root         262  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/1:1H-events_highpri]
root         281  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/16:1H-events_highpri]
root         296  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/5:1H-kblockd]
root         297  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/3:1H-events_highpri]
root         301  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/18:1H-events_highpri]
root         308  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/10:1H-events_highpri]
root         309  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/9:1H-events_highpri]
root         310  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/4:1H-events_highpri]
root         312  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/6:1H-events_highpri]
root         316  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/12:1H-events_highpri]
root         337  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/11:1H-kblockd]
root         339  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/19:1H-events_highpri]
root         348  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/14:1H-kblockd]
root         355  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/13:1H-events_highpri]
root         389  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/17:1H-events_highpri]
root        3596  0.0  0.0      0     0 ?        I<   Jul15   0:00 [kworker/u41:2-hci0]
root     1025320  0.0  0.0      0     0 ?        I    11:06   0:00 [kworker/16:1-rcu_par_gp]
root     1028630  0.0  0.0      0     0 ?        I    11:20   0:00 [kworker/0:0-events]
root     1032161  0.0  0.0      0     0 ?        I    11:25   0:00 [kworker/17:1-events]
root     1032162  0.0  0.0      0     0 ?        I    11:25   0:00 [kworker/11:2-events]
root     1035293  0.0  0.0      0     0 ?        I    11:27   0:00 [kworker/3:1-events]
root     1036801  0.0  0.0      0     0 ?        I    11:32   0:00 [kworker/1:1-rcu_par_gp]
root     1037173  0.0  0.0      0     0 ?        I    11:33   0:00 [kworker/4:2-events]
root     1037831  0.0  0.0      0     0 ?        I    11:33   0:00 [kworker/15:2-events]
root     1037832  0.0  0.0      0     0 ?        I    11:33   0:00 [kworker/12:1-events]
root     1039142  0.0  0.0      0     0 ?        I    11:34   0:00 [kworker/7:0-events]
root     1039797  0.0  0.0      0     0 ?        I    11:34   0:00 [kworker/13:0-cgroup_destroy]
root     1045111  0.0  0.0      0     0 ?        I    12:06   0:00 [kworker/3:0-rcu_par_gp]
root     1049011  0.0  0.0      0     0 ?        I    12:31   0:00 [kworker/15:1-events]
root     1064377  0.0  0.0      0     0 ?        I    14:07   0:00 [kworker/13:2-events]
root     1064380  0.0  0.0      0     0 ?        I    14:07   0:00 [kworker/0:1-events]
root     1073929  0.0  0.0      0     0 ?        I    15:08   0:00 [kworker/14:2-events]
root     1073933  0.0  0.0      0     0 ?        I    15:08   0:00 [kworker/9:1-events]
root     1073935  0.1  0.0      0     0 ?        I    15:08   0:05 [kworker/u40:4-events_unbound]
root     1076396  0.1  0.0      0     0 ?        I    15:24   0:02 [kworker/u40:1-flush-259:0]
root     1078991  0.0  0.0      0     0 ?        I    15:34   0:00 [kworker/18:2-events]
root     1078992  0.0  0.0      0     0 ?        I    15:34   0:00 [kworker/19:2-events]
root     1079617  0.0  0.0      0     0 ?        I    15:36   0:00 [kworker/16:2-rcu_par_gp]
root     1080794  0.0  0.0      0     0 ?        I    15:39   0:00 [kworker/5:1-rcu_par_gp]
root     1081304  0.0  0.0      0     0 ?        I    15:41   0:00 [kworker/6:2-rcu_par_gp]
root     1081609  0.0  0.0      0     0 ?        I    15:41   0:00 [kworker/7:1-rcu_par_gp]
root     1083045  0.0  0.0      0     0 ?        I    15:47   0:00 [kworker/8:1-rcu_par_gp]
root     1083046  0.0  0.0      0     0 ?        I    15:47   0:00 [kworker/14:0-events]
root     1083053  0.0  0.0      0     0 ?        I    15:47   0:00 [kworker/6:0-mm_percpu_wq]
root     1083054  0.0  0.0      0     0 ?        I    15:47   0:00 [kworker/1:0-events]
root     1083340  0.1  0.0      0     0 ?        I    15:48   0:01 [kworker/u40:3-events_power_efficient]
root     1083357  0.0  0.0      0     0 ?        I    15:48   0:00 [kworker/2:0-mm_percpu_wq]
root     1085194  0.0  0.0      0     0 ?        I    15:53   0:00 [kworker/19:0-mm_percpu_wq]
root     1085195  0.0  0.0      0     0 ?        I    15:53   0:00 [kworker/10:1-events]
root     1085459  0.0  0.0      0     0 ?        I    15:53   0:00 [kworker/4:1-events]
root     1085460  0.0  0.0      0     0 ?        I    15:53   0:00 [kworker/17:2-events]
root     1085461  0.0  0.0      0     0 ?        I    15:53   0:00 [kworker/9:0-rcu_par_gp]
root     1085874  0.0  0.0      0     0 ?        I    15:55   0:00 [kworker/12:0-rcu_par_gp]
root     1090980  0.0  0.0      0     0 ?        I    15:57   0:00 [kworker/u40:2-flush-259:0]
root     1091935  0.0  0.0      0     0 ?        I    15:58   0:00 [kworker/5:0-events]
root     1094247  0.0  0.0      0     0 ?        I    15:59   0:00 [kworker/8:0-rcu_gp]
root     1094248  0.0  0.0      0     0 ?        I    15:59   0:00 [kworker/18:1-mm_percpu_wq]
root     1094249  0.0  0.0      0     0 ?        I    15:59   0:00 [kworker/10:0-mm_percpu_wq]
root     1096145  0.0  0.0      0     0 ?        I    16:01   0:00 [kworker/2:2-events]
root     1096146  0.0  0.0      0     0 ?        I    16:01   0:00 [kworker/11:0-events]
root     1096533  0.0  0.0      0     0 ?        I    16:02   0:00 [kworker/9:2-events]
root     1096551  0.0  0.0      0     0 ?        I    16:02   0:00 [kworker/4:0-events]
root     1096552  0.0  0.0      0     0 ?        I    16:02   0:00 [kworker/3:2-mm_percpu_wq]
root     1096557  0.0  0.0      0     0 ?        I    16:02   0:00 [kworker/19:1]
root     1097901  0.0  0.0      0     0 ?        I    16:03   0:00 [kworker/u40:0-events_unbound]
root     1098793  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/13:1-events]
root     1100276  0.1  0.0      0     0 ?        I    16:04   0:00 [kworker/u40:5-events_unbound]
root     1100277  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/u40:6]
root     1100298  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/15:0-events]
root     1100299  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/1:2-events]
root     1100300  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/16:0-events]
root     1100809  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/10:2-rcu_par_gp]
root     1100811  0.0  0.0      0     0 ?        I    16:04   0:00 [kworker/7:2-events]
root     1103927  0.0  0.0      0     0 ?        I    16:05   0:00 [kworker/5:2-mm_percpu_wq]
root     1103928  0.0  0.0      0     0 ?        I    16:05   0:00 [kworker/12:2-mm_percpu_wq]
root     1103933  0.0  0.0      0     0 ?        I    16:05   0:00 [kworker/18:0]
root     1104097  0.0  0.0      0     0 ?        I    16:05   0:00 [kworker/14:1-events]
root     1107857  0.0  0.0      0     0 ?        I    16:07   0:00 [kworker/8:2-mm_percpu_wq]

Last edited by afader (2022-07-16 20:10:30)

Offline

#14 2022-07-16 21:09:40

seth
Member
Registered: 2012-09-03
Posts: 30,882

Re: how do I find out what process is transitory in unhide procall?

You'll have to ask upstream how they qualify this.
A really silly explanation would be that the tool scans /proc, then checks what ps can see and points out the differences.
This will predictably produce false positives for short lived kernel threads.

Offline

Board footer

Powered by FluxBB