coder
Oct 8 2003, 10:18 PM
hey hexyboy,
-> i believe that your lil' trick is nifty although "ps -elf" will still display that process (just tested it myself)
its possible hide processes in a unix shell?
Dillinja
Oct 7 2003, 04:13 PM
You could use replacment system programs to hide processes..for instance, replacing ps with a modified binary would allow you to run your processes without showing up in the output.
Its usually found together with other modified files in a rootkit including a modified ls, so not only will the average unsuspecting sysadmin not see the process you are running, the file itself will be hidden from view.
Beware though..if your process is very resource hungry, a smart admin wont be long in realising something is amiss.
thx for your reply...
but i dont have root to do that
Hexboy
Oct 8 2003, 05:52 AM
Well, another simple way you could do it is put your commands in a text file , like
hex@silver:~$:echo nmap somehost && rm -rf test/ >> foo.txt
Then , you could cat and then pipe the text file to bash.
hex@silver:~$ cat foo.txt | bash
and , it should 'hide' it showing just 'bash' in process list.
Although, now that i think about it , it would probably still show up. Its what i call the
'wrapping idea'
soulrider
Oct 8 2003, 12:30 PM
You can also change the argv[0] string to change the program name.
"bash" could be ok i think.
strcpy(argv[0],"bash");
But how i do that if i dont have the source....im only have the progy compiled...
Dillinja
Oct 8 2003, 09:08 PM
Absolutly no offence intended, and I dont mean to sound like a smart ass, but I think maybe you should pick up a copy of "Linux for Dummies" or some sort of *nix book for beginners. (Is there a Unix for Beginners?)
Ive got "...Dummies" myself and it is a good book for starting out.
coder
Oct 9 2003, 12:57 PM
hey check out knark, or phide - depending on what Kernel 2.0,2.2,2.4 ? there are a few lkm based tools that would allow you to hide proc(s)...
http://www2.packetstormsecurity.org/cgi-bi...5Bsearch%5D.y=0(btw- Also includes a kernel module to protect Linux 2.x from knark.)
-------------------------------------------------
oh, you said unix... what distrobution are you talking about?
boshcash
Oct 28 2003, 10:04 AM
There is a program that allows u to run a process PID on the PID of another program thats already running , i think it was @ the xfocus.net site , try search packetstormsecurity too
tvm
Oct 28 2003, 04:43 PM
| QUOTE |
Linux process hiding:
Hiding from logs (Although i see few legal situations where you would need to hide a process you ran). You can change the name of a process so it looks like another process. eg (From Phrack);
#include
#include
int main(argc, argv)
int argc;
char **argv;
{
char *p;
for (p = argv[0]; *p; p++)
*p = 0;
strcpy(argv[0], "rn");
(void) getchar (); /* to allow you to see that ps reports "rn" */
return(0);
}
|
i compile this code without no probs...
but i dont know how to use it
please post some examples to use proggy with ....Wget "ftp:\\blablabla.com\" or pico...ls...only to give me an ideia
Mental Note:learn english!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
