You are not logged in.
- Topics: Active | Unanswered
#1 2022-06-17 23:05:58
- afader
- Member
- Registered: 2013-09-12
- Posts: 176
how do I find out what process is transitory in unhide procall?
How can I log or otherwise identify what this process is?
Found HIDDEN PID: 716687
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 724877
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"Offline
#2 2022-06-18 00:35:30
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: how do I find out what process is transitory in unhide procall?
What is that output from?
You could find it under /proc and see if it is a child of another process. But why do you care? What's the real goal here?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#3 2022-06-18 01:09:54
- afader
- Member
- Registered: 2013-09-12
- Posts: 176
Re: how do I find out what process is transitory in unhide procall?
Occasionally I run a bunch of random security stuff to audit my system for malware and rootkits, and when I run unhide procall, occasionally I see that message. But by the time I look for the process, it's gone. Is there some way to catch it?
Offline
#4 2022-06-18 01:14:06
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: how do I find out what process is transitory in unhide procall?
Ah, you are running "unhide procoll" from [community]/unhide.
How long after your run that are you looking for the process? If the process is gone, why then do you care? It's gone. Even if it's still there, again, why would you care? This is not even remotely out of the ordinary. This is certainly not an indicator of malware or a rootkit.
EDIT: perhaps I should step out of this thread. I misunderstood the initial post as I didn't realize you were referring to a particular software tool "unhide". Having checked out that tool, I've found the whole idea to be based on an absurd logical fallacy and I'd not trust it's output as far as I could throw it. So I'd not bother interpreting any of it's output. I might be able to give ideas on how to script a run of "unhide" and capture the pids and immediately gather more info about those PIDs, but 1) this would serve no purpose as - again - the whole this is based on bad thinking and 2) the original tool should be able to give this information itself.
Last edited by Trilby (2022-06-18 01:24:47)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#5 2022-07-15 23:32:44
- afader
- Member
- Registered: 2013-09-12
- Posts: 176
Re: how do I find out what process is transitory in unhide procall?
I'm open to learn more about this or to understand more why I should disregard this. result, which looks like the following, when I go to check for those processes they are gone.
> sudo unhide procall
Unhide 20210124
Copyright © 2010-2021 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
NOTE : This version of unhide is for systems using Linux >= 2.6
Used options:
[*]Searching for Hidden processes through /proc stat scanning
[*]Searching for Hidden processes through /proc chdir scanning
[*]Searching for Hidden processes through /proc opendir scanning
[*]Searching for Hidden thread through /proc/pid/task readdir scanning
Found HIDDEN PID: 531959
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 535576
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 534670
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"Is there a better tool to look for hidden processes or another suggestion on how to be vigilant for rootkits and malware? I'm using the hardened kernel, lkrg, lynis, tiger, clamav/clamscan/freshclam, opensnitchd, maldet, I've gone through the suggestions on the wiki for hardening tcp/ip and other various sysctl options, hardened tmp mount options, my regular user isn't in wheel and my root has no shell (although pkexec seems to be able to bypass this), apparmor, systemd service hardening for my servers, and firejail. I use the machine as a file server and bittorent client. I want to be pretty paranoid that's why I'm checking this stuff.
Last edited by afader (2022-07-15 23:34:58)
Offline
#6 2022-07-16 00:38:04
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: how do I find out what process is transitory in unhide procall?
I don't know of methods to look for malware - rather common sense prevention such as knowing / understanding the software you use and where it came from, not clicking fishy links, not responding to nigerian bankers (and not using an email client that automatically and fully renders HTML), etc.
As for looking for "hidden" processes, I actually don't have reason to doubt that the software you are using is not well suited to that task. The problem is that task - of listing "hidden" processes - has absolutely no bearing on security ... at all. That is not even remotely a meaningful way of looking for rootkits / malware / etc. I believe you are barking up the wrong tree with even pursuing the goal of finding information about hidden processes - and that's why I figured I might be best leaving this discussion to others.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#7 2022-07-16 07:45:29
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,670
Re: how do I find out what process is transitory in unhide procall?
Fyi, those are most likely kernel threads and there was suggestion to even prevent userspace processes to have an empty cmdline at all, https://lkml.org/lkml/2018/5/16/1084 (not idea whether that made it w/ the clean-ups)
A "rootkit" approach would seek to undermine the kernel, manipulate the procfs and *completely* hide the PID (at least)
Offline
#8 2022-07-16 15:32:34
- afader
- Member
- Registered: 2013-09-12
- Posts: 176
Re: how do I find out what process is transitory in unhide procall?
@Trilby thanks. I mean that's fair but there are other ways to get malware than fishy HTML emails, links and Nigerians bankers. For example there has been malware in the aur, https://www.bleepingcomputer.com/news/s … epository/ There are also exploits like hidden unicode inside of innocuous looking code etc. What I'm mostly worried about is if there might be some kind of undisclosed or 0day vulnerability e.g. for years various critical system software like openssl had undisclosed or unknown issues. As mentioned I run servers which connect to torrents etc and it seems entirely possible that there are unpatched issues in nginx or transmission that would allow people to attack my system.
@Seth thanks. I see lots of kworkers and other kernel stuff in ps and htop but then the PIDs don't match the ones that unhide shows.
Offline
#9 2022-07-16 15:36:22
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: how do I find out what process is transitory in unhide procall?
@Trilby thanks. I mean that's fair but there are other ways to get malware than fishy HTML emails, links and Nigerians bankers.
Which is why those were just the last of several points I mentioned.
For example there has been malware in the aur... There are also exploits like hidden unicode inside of innocuous looking code etc.
Yup, and these both fall in the the first point I mentioned - so they're not really exceptions.
What I'm mostly worried about is if there might be some kind of undisclosed or 0day vulnerability e.g. for years various critical system software like openssl...
And none of your examples related in any way to processes in the proc tree with empty names / command lines (aka "hidden" processes).
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#10 2022-07-16 15:49:29
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,670
Re: how do I find out what process is transitory in unhide procall?
h/top will poll the process tree and at what? 0.2/s? And unhide runs once?
Those kernel jobs can be very short lived.
Also top *will* interpret processes w/ empty cmdline as kthread, does unhide not list a single "hidden" PID that matches a kthread entry in top?
(Some jobs should run for a very long time)
Offline
#11 2022-07-16 19:35:49
- afader
- Member
- Registered: 2013-09-12
- Posts: 176
Re: how do I find out what process is transitory in unhide procall?
So I see
> ps aux | grep kthread
root 2 0.0 0.0 0 0 ? S Jul15 0:00 [kthreadd]
root 12 0.0 0.0 0 0 ? I Jul15 0:00 [rcu_tasks_kthread]
root 13 0.0 0.0 0 0 ? I Jul15 0:00 [rcu_tasks_rude_kthread]
root 14 0.0 0.0 0 0 ? I Jul15 0:00 [rcu_tasks_trace_kthread]
root 330 0.0 0.0 0 0 ? S Jul15 0:42 [nvidia-modeset/kthread_q]
root 331 0.0 0.0 0 0 ? S Jul15 0:00 [nvidia-modeset/deferred_close_kthread_q]But when I do see the processes in unhide they have much bigger pids and they do not match
Offline
#12 2022-07-16 19:55:33
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,670
Re: how do I find out what process is transitory in unhide procall?
If unhide lists lots and lots of PIDs, grep for the PIDs you know are there.
You already know that the PIDs unhide "finds" are then not listed by "ps aux" (I'd not be surprised if unhide triggers those threads itself…) so that direction won't yield any results.
Offline
#13 2022-07-16 20:04:00
- afader
- Member
- Registered: 2013-09-12
- Posts: 176
Re: how do I find out what process is transitory in unhide procall?
No unhide usually doesn't return anything. And there are several different ways that unhide can check for processes, but the only one that seems to return anything is "procall." Sometimes I do see 2-3 processes show up for that. they have PIDs. but then by the time I go to look for that PID in ps or (h)top or anything else, I don't see them
Here's one
> sudo unhide procall
Unhide 20210124
Copyright © 2010-2021 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
NOTE : This version of unhide is for systems using Linux >= 2.6
Used options:
[*]Searching for Hidden processes through /proc stat scanning
[*]Searching for Hidden processes through /proc chdir scanning
[*]Searching for Hidden processes through /proc opendir scanning
[*]Searching for Hidden thread through /proc/pid/task readdir scanning
Found HIDDEN PID: 1106816
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 1107308
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 1107309
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 1107401
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"
Found HIDDEN PID: 1107509
Cmdline: "<none>"
Executable: "<no link>"
"<none> ... maybe a transitory process"❯ ps aux | grep kworker
root 7 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/0:0H-events_highpri]
root 9 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/0:1H-events_highpri]
root 27 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/1:0H-kblockd]
root 33 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/2:0H-events_highpri]
root 39 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/3:0H-events_highpri]
root 45 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/4:0H-events_highpri]
root 51 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/5:0H-events_highpri]
root 57 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/6:0H-events_highpri]
root 63 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/7:0H-events_highpri]
root 69 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/8:0H-events_highpri]
root 75 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/9:0H-events_highpri]
root 81 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/10:0H-events_highpri]
root 88 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/11:0H-events_highpri]
root 94 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/12:0H-kblockd]
root 100 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/13:0H-events_highpri]
root 106 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/14:0H-events_highpri]
root 112 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/15:0H-kblockd]
root 118 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/16:0H-events_highpri]
root 124 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/17:0H-events_highpri]
root 130 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/18:0H-events_highpri]
root 136 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/19:0H-events_highpri]
root 158 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/2:1H-events_highpri]
root 218 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/u41:0-hci0]
root 257 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/8:1H-events_highpri]
root 260 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/7:1H-kblockd]
root 261 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/15:1H-events_highpri]
root 262 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/1:1H-events_highpri]
root 281 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/16:1H-events_highpri]
root 296 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/5:1H-kblockd]
root 297 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/3:1H-events_highpri]
root 301 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/18:1H-events_highpri]
root 308 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/10:1H-events_highpri]
root 309 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/9:1H-events_highpri]
root 310 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/4:1H-events_highpri]
root 312 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/6:1H-events_highpri]
root 316 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/12:1H-events_highpri]
root 337 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/11:1H-kblockd]
root 339 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/19:1H-events_highpri]
root 348 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/14:1H-kblockd]
root 355 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/13:1H-events_highpri]
root 389 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/17:1H-events_highpri]
root 3596 0.0 0.0 0 0 ? I< Jul15 0:00 [kworker/u41:2-hci0]
root 1025320 0.0 0.0 0 0 ? I 11:06 0:00 [kworker/16:1-rcu_par_gp]
root 1028630 0.0 0.0 0 0 ? I 11:20 0:00 [kworker/0:0-events]
root 1032161 0.0 0.0 0 0 ? I 11:25 0:00 [kworker/17:1-events]
root 1032162 0.0 0.0 0 0 ? I 11:25 0:00 [kworker/11:2-events]
root 1035293 0.0 0.0 0 0 ? I 11:27 0:00 [kworker/3:1-events]
root 1036801 0.0 0.0 0 0 ? I 11:32 0:00 [kworker/1:1-rcu_par_gp]
root 1037173 0.0 0.0 0 0 ? I 11:33 0:00 [kworker/4:2-events]
root 1037831 0.0 0.0 0 0 ? I 11:33 0:00 [kworker/15:2-events]
root 1037832 0.0 0.0 0 0 ? I 11:33 0:00 [kworker/12:1-events]
root 1039142 0.0 0.0 0 0 ? I 11:34 0:00 [kworker/7:0-events]
root 1039797 0.0 0.0 0 0 ? I 11:34 0:00 [kworker/13:0-cgroup_destroy]
root 1045111 0.0 0.0 0 0 ? I 12:06 0:00 [kworker/3:0-rcu_par_gp]
root 1049011 0.0 0.0 0 0 ? I 12:31 0:00 [kworker/15:1-events]
root 1064377 0.0 0.0 0 0 ? I 14:07 0:00 [kworker/13:2-events]
root 1064380 0.0 0.0 0 0 ? I 14:07 0:00 [kworker/0:1-events]
root 1073929 0.0 0.0 0 0 ? I 15:08 0:00 [kworker/14:2-events]
root 1073933 0.0 0.0 0 0 ? I 15:08 0:00 [kworker/9:1-events]
root 1073935 0.1 0.0 0 0 ? I 15:08 0:05 [kworker/u40:4-events_unbound]
root 1076396 0.1 0.0 0 0 ? I 15:24 0:02 [kworker/u40:1-flush-259:0]
root 1078991 0.0 0.0 0 0 ? I 15:34 0:00 [kworker/18:2-events]
root 1078992 0.0 0.0 0 0 ? I 15:34 0:00 [kworker/19:2-events]
root 1079617 0.0 0.0 0 0 ? I 15:36 0:00 [kworker/16:2-rcu_par_gp]
root 1080794 0.0 0.0 0 0 ? I 15:39 0:00 [kworker/5:1-rcu_par_gp]
root 1081304 0.0 0.0 0 0 ? I 15:41 0:00 [kworker/6:2-rcu_par_gp]
root 1081609 0.0 0.0 0 0 ? I 15:41 0:00 [kworker/7:1-rcu_par_gp]
root 1083045 0.0 0.0 0 0 ? I 15:47 0:00 [kworker/8:1-rcu_par_gp]
root 1083046 0.0 0.0 0 0 ? I 15:47 0:00 [kworker/14:0-events]
root 1083053 0.0 0.0 0 0 ? I 15:47 0:00 [kworker/6:0-mm_percpu_wq]
root 1083054 0.0 0.0 0 0 ? I 15:47 0:00 [kworker/1:0-events]
root 1083340 0.1 0.0 0 0 ? I 15:48 0:01 [kworker/u40:3-events_power_efficient]
root 1083357 0.0 0.0 0 0 ? I 15:48 0:00 [kworker/2:0-mm_percpu_wq]
root 1085194 0.0 0.0 0 0 ? I 15:53 0:00 [kworker/19:0-mm_percpu_wq]
root 1085195 0.0 0.0 0 0 ? I 15:53 0:00 [kworker/10:1-events]
root 1085459 0.0 0.0 0 0 ? I 15:53 0:00 [kworker/4:1-events]
root 1085460 0.0 0.0 0 0 ? I 15:53 0:00 [kworker/17:2-events]
root 1085461 0.0 0.0 0 0 ? I 15:53 0:00 [kworker/9:0-rcu_par_gp]
root 1085874 0.0 0.0 0 0 ? I 15:55 0:00 [kworker/12:0-rcu_par_gp]
root 1090980 0.0 0.0 0 0 ? I 15:57 0:00 [kworker/u40:2-flush-259:0]
root 1091935 0.0 0.0 0 0 ? I 15:58 0:00 [kworker/5:0-events]
root 1094247 0.0 0.0 0 0 ? I 15:59 0:00 [kworker/8:0-rcu_gp]
root 1094248 0.0 0.0 0 0 ? I 15:59 0:00 [kworker/18:1-mm_percpu_wq]
root 1094249 0.0 0.0 0 0 ? I 15:59 0:00 [kworker/10:0-mm_percpu_wq]
root 1096145 0.0 0.0 0 0 ? I 16:01 0:00 [kworker/2:2-events]
root 1096146 0.0 0.0 0 0 ? I 16:01 0:00 [kworker/11:0-events]
root 1096533 0.0 0.0 0 0 ? I 16:02 0:00 [kworker/9:2-events]
root 1096551 0.0 0.0 0 0 ? I 16:02 0:00 [kworker/4:0-events]
root 1096552 0.0 0.0 0 0 ? I 16:02 0:00 [kworker/3:2-mm_percpu_wq]
root 1096557 0.0 0.0 0 0 ? I 16:02 0:00 [kworker/19:1]
root 1097901 0.0 0.0 0 0 ? I 16:03 0:00 [kworker/u40:0-events_unbound]
root 1098793 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/13:1-events]
root 1100276 0.1 0.0 0 0 ? I 16:04 0:00 [kworker/u40:5-events_unbound]
root 1100277 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/u40:6]
root 1100298 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/15:0-events]
root 1100299 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/1:2-events]
root 1100300 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/16:0-events]
root 1100809 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/10:2-rcu_par_gp]
root 1100811 0.0 0.0 0 0 ? I 16:04 0:00 [kworker/7:2-events]
root 1103927 0.0 0.0 0 0 ? I 16:05 0:00 [kworker/5:2-mm_percpu_wq]
root 1103928 0.0 0.0 0 0 ? I 16:05 0:00 [kworker/12:2-mm_percpu_wq]
root 1103933 0.0 0.0 0 0 ? I 16:05 0:00 [kworker/18:0]
root 1104097 0.0 0.0 0 0 ? I 16:05 0:00 [kworker/14:1-events]
root 1107857 0.0 0.0 0 0 ? I 16:07 0:00 [kworker/8:2-mm_percpu_wq]Last edited by afader (2022-07-16 20:10:30)
Offline
#14 2022-07-16 21:09:40
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,670
Re: how do I find out what process is transitory in unhide procall?
You'll have to ask upstream how they qualify this.
A really silly explanation would be that the tool scans /proc, then checks what ps can see and points out the differences.
This will predictably produce false positives for short lived kernel threads.
Offline