Friday, January 28, 2011

How to view linux hidden process and remove rootkit

I and just installed OSSEC and it is telling this 

Process '2517' hidden from /proc. Possible kernel level rootkit.
Excessive number of hidden processes. It maybe a false-positive or something really bad is going on.

Its my live server and i host around 20 sites on it.

How can i remove that. and what maximum damage it can do

From serverfault Master

  • It might be that OSSEC is using the unhide utility to check for hidden processes. This tool sometimes raises false-positives.

    You can check yourself by running unhide proc or unhide-linux26 proc for a 64bit system.

    From weeheavy

  • It would probably be a good thing to install and run rkhunter. If this confirms that you have been compromised then your only realistic action is to make a copy of the compromised server to analyse later then reinstall from scratch and recover using known good backups.

    From Iain

  • Do you see that hidden process every time you run OSSEC? If you see it only once, it could be that there was a delay between when OSSEC got the info from ps (say) and then it checked it against /proc. In the meanwhile the process may have terminated, raising the alert you just saw.

    From Dan Andreatta
Posted by Ku XI at 4:55 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)