Bug#579598: unhide: '/bin/sh -> dash' may cause false alarm.

Shan-Bin Chen dreamerwolf.tw at gmail.com
Wed Apr 28 21:38:53 UTC 2010 

Package: unhide
Version: 20100201-1
Severity: normal

I tested both bash and dash, but the dash would create a extra process.

$ ls /bin/sh -al
lrwxrwxrwx 1 root root 4 2009-09-28 08:02 /bin/sh -> dash

$strace -vv unhide sys
...
4548  write(1, "[*]Searching for Hidden processes through sysinfo()
scanning\n", 61) = 61
4548  write(1, "\n", 1)                 = 1
4548  sysinfo({uptime=64661, loads=[54816, 23904, 15008]
totalram=2110566400, freeram=19849216, sharedram=0, bufferram=135933952}
totalswap=2154979328, freeswap=2145746944, procs=256}) = 0
4548  pipe2([3, 4], O_CLOEXEC)          = 0
4548  clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|
CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xbef930) = 10181
4548  close(4)                          = 0
4548  fcntl(3, F_SETFD, 0 <unfinished ...>
10181 close(3 <unfinished ...>
4548  <... fcntl resumed> )             = 0
4548  fstat(3,  <unfinished ...>
10181 <... close resumed> )             = 0
4548  <... fstat resumed> {st_dev=makedev(0, 8), st_ino=1960525,
st_mode=S_IFIFO|0600, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=0, st_size=0, st_atime=2010/04/27-00:04:20,
st_mtime=2010/04/27-
00:04:20, st_ctime=2010/04/27-00:04:20}) = 0
10181 dup2(4, 1 <unfinished ...>
4548  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0 <unfinished ...>
10181 <... dup2 resumed> )              = 1
4548  <... mmap resumed> )              = 0x7f54b7618000
4548  read(3,  <unfinished ...>
10181 close(4)                          = 0
10181 execve("/bin/sh", ["sh", "-c", "ps -eL o lwp"], ["TERM=xterm",
"LS_COLORS=rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01"..., "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bi
n:/sbin:/bin:/usr/X11R6/bin", "LANG=zh_TW.UTF-8",
"HOME=/home/<mask_info>", "DISPLAY=:0.0",
"XAUTHORITY=/home/<mask_info>/.Xauthority", "COLORTERM=gnome-terminal",
"SHELL=/bin/bash", "LOGNAME=root", "USER=root"
, "USERNAME=root", "SUDO_COMMAND=/usr/bin/strace -v -f -s 80 -o
debug.log unhide sys", "SUDO_USER=<mask_info>", "SUDO_UID=<mask_info>",
"SUDO_GID=<mask_info>"]) = 0
10181 brk(0)                            = 0x81b000
10181 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea5a0e000
10181 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
10181 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea5a0c000
10181 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
10181 open("/etc/ld.so.cache", O_RDONLY) = 3
10181 fstat(3, {st_dev=makedev(8, 6), st_ino=2049336, st_mode=S_IFREG|
0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=392,
st_size=196274, st_atime=2010/04/26-22:51:02, st_mtime=2010/04/26-22:5
1:01, st_ctime=2010/04/26-22:51:01}) = 0
10181 mmap(NULL, 196274, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1ea59dc000
10181 close(3)                          = 0
10181 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
10181 open("/lib/libc.so.6", O_RDONLY)  = 3
10181 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\353\1
\0\0\0\0\0@\0\0\0\0\0\0\0\350\373\24\0\0\0\0\0\0\0\0\0@\0008\0\n\0@\0G
\0F\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0"..., 832) = 832
10181 fstat(3, {st_dev=makedev(8, 6), st_ino=17481941, st_mode=S_IFREG|
0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=2704,
st_size=1379752, st_atime=2010/04/26-22:37:10,
st_mtime=2010/02/08-01:31:38, st_ctime=2010/02/28-13:16:21}) = 0
10181 mmap(NULL, 3487784, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x7f1ea549f000
10181 mprotect(0x7f1ea55e9000, 2097152, PROT_NONE) = 0
10181 mmap(0x7f1ea57e9000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|MAP_DENYWRITE, 3, 0x14a000) = 0x7f1ea57e9000
10181 mmap(0x7f1ea57ee000, 18472, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f1ea57ee000
10181 close(3)                          = 0
10181 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea59db000
10181 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f1ea59da000
10181 arch_prctl(ARCH_SET_FS, 0x7f1ea59da6f0) = 0
10181 mprotect(0x7f1ea57e9000, 16384, PROT_READ) = 0
10181 mprotect(0x7f1ea5a0f000, 4096, PROT_READ) = 0
10181 munmap(0x7f1ea59dc000, 196274)    = 0
10181 getpid()                          = 10181
10181 rt_sigaction(SIGCHLD, {SIG_DFL, [CHLD], SA_RESTORER|SA_RESTART,
0x7f1ea54d0fc0}, {SIG_DFL, [], 0}, 8) = 0
10181 geteuid()                         = 0
10181 brk(0)                            = 0x81b000
10181 brk(0x83c000)                     = 0x83c000
10181 getppid()                         = 4548
10181 getcwd("/home/<mask_info>/package/gitroot/unhide/logs", 4096) = 46
10181 rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
10181 rt_sigaction(SIGINT, {0x40f250, ~[RTMIN RT_1], SA_RESTORER,
0x7f1ea54d0fc0}, NULL, 8) = 0
10181 rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
10181 rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER,
0x7f1ea54d0fc0}, NULL, 8) = 0
10181 rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
10181 rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER,
0x7f1ea54d0fc0}, NULL, 8) = 0
10181 stat("/usr/local/sbin/ps", 0x7fffa0099970) = -1 ENOENT (No such
file or directory)
10181 stat("/usr/local/bin/ps", 0x7fffa0099970) = -1 ENOENT (No such
file or directory)
10181 stat("/usr/sbin/ps", 0x7fffa0099970) = -1 ENOENT (No such file or
directory)
10181 stat("/usr/bin/ps", 0x7fffa0099970) = -1 ENOENT (No such file or
directory)
10181 stat("/sbin/ps", 0x7fffa0099970)  = -1 ENOENT (No such file or
directory)
10181 stat("/bin/ps", {st_dev=makedev(8, 6), st_ino=19683058,
st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=208, st_size=99072, st_atime=2010/04/26-23:07:12,
st_mtime=2010/03/01-12:44:48, st_ctime=2010/04/25-23:06:40}) = 0
10181 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|
CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f1ea59da7c0) = 10182
10181 wait4(-1,  <unfinished ...>
10182 execve("/bin/ps", ["ps", "-eL", "o", "lwp"],
["SUDO_GID=<mask_info>", "USER=root", "HOME=/home/<mask_info>",
"COLORTERM=gnome-terminal", "SUDO_UID=<mask_info>", "LOGNAME=root",
"USERNAME=root", "TERM=xterm",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin", "DISPLAY=:0.0", "LANG=zh_TW.UTF-8", "XAUTHORITY=/home/<mask_info>/.Xauthority", "LS_COLORS=rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01"..., "SUDO_COMMAND=/usr/bin/strace -v -f -s 80 -o debug.log unhide sys", "SHELL=/bin/bash", "SUDO_USER=<mask_info>", "PWD=/home/<mask_info>/package/gitroot/unhide/logs"]) = 0
...
10182 write(1, "  LWP\n    1\n    2\n    3\n    4\n    5\n    6\n    7\n
8\n    9\n   10\n   11\n   12\n  "..., 1554) = 1554
10182 exit_group(0)                     = ?
10181 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0,
NULL) = 10182
10181 --- SIGCHLD (Child exited) @ 0 (0) ---
10181 exit_group(0)                     = ?
4548  <... read resumed> "  LWP\n    1\n    2\n    3\n    4\n    5\n
6\n    7\n    8\n    9\n   10\n   11\n   12\n  "..., 4096) = 1554
4548  --- SIGCHLD (Child exited) @ 0 (0) ---
4548  read(3, "", 4096)                 = 0
4548  close(3)                          = 0
4548  wait4(10181, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) =
10181
4548  munmap(0x7f54b7618000, 4096)      = 0
4548  sysinfo({uptime=64661, loads=[54816, 23904, 15008]
totalram=2110566400, freeram=21614592, sharedram=0, bufferram=135913472}
totalswap=2154979328, freeswap=2145746944, procs=256}) = 0
4548  write(1, "HIDDEN Processes Found: 1\n", 26) = 26
4548  exit_group(0)                     = ?

$ ls /bin/sh -al
lrwxrwxrwx 1 root root 4 2010-04-29 05:19 /bin/sh -> bash

$ sudo unhide sys
Unhide 20100201
http://www.security-projects.com/?Unhide


[*]Searching for Hidden processes through kill(..,0) scanning

[*]Searching for Hidden processes through  comparison of results of
system calls

[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval()
scanning

[*]Searching for Hidden processes through sysinfo() scanning


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

unhide depends on no packages.

unhide recommends no packages.

Versions of packages unhide suggests:
ii  rkhunter                      1.3.6-4    rootkit, backdoor, sniffer
and exp

-- no debconf information

More information about the forensics-devel mailing list