About Unhide.rb

Julien Valroff julien at debian.org
Sun Oct 23 07:56:07 UTC 2011 

Hi Yago,

Le samedi 22 oct. 2011 à 18:53:35 (+0200 CEST), Yago Jesus a écrit :
> Hi,
> 
> I am writting you because you are shown as maintainer of Unhide.rb in
> Debian.

That's right, but I maintain it within a packaging team called Debian
Forensics, and we also take care of Unhide.

> Im the author of Unhide (the original project
> http://www.unhide-forensics.info) and I think the current description
> of Unhide.rb is wrong, makes false assumptions and give to users
> untruthful information.
> 
> It is also false that Unhide.rb make the same tests than Unhide sys /
> proc and is false that make better reports too.

Well, according to my experience, it is not always the case.

unhide output:
    HIDDEN Processes Found: 1       sysinfo.procs = 351   ps_count = 353

unhide.rb output:
    Scanning for hidden processes...
    ps and sysinfo() process count mismatch:
      ps: 353 processes
      sysinfo(): 352 processes
    Suspicious PID 17923:
      Not seen by ps
      Seen by /proc
      Seen by /proc tasks
      Seen by getsid()
      Seen by getpgid()
      Seen by getpriority()
      Seen by sched_getparam()
      Seen by sched_getaffinity()
      Seen by sched_getscheduler()
      Seen by sched_rr_get_interval()

In that particular case, unhide.rb output is more helpful but I agree that
might not always be the case.

> You can see a mail that I have sent to RKhunter's list where I give my
> explanations in deep about this
> https://sourceforge.net/mailarchive/forum.php?thread_name=CAMy7eXy8WFop-x4Ei7%2BtYjoy7_o5UDSfBSx59RB0Vj0tZ8Hp4Q%40mail.gmail.com&forum_name=rkhunter-users
> 
> I think the real description should be: a lite reimplementation, less
> secure by design, less accurate version of Unhide.

While I do understand your point, I don't think this this description would
add valuable information to the user.

The goal of the package descriptions is to be as objective as possible so
that sysadmins can make their own choice. 

I would propose to amend the unhide.rb package description as follows,
inspired by the description found on freshmeat [0]:
 Unhide.rb is a forensic tool to find processes hidden by rootkits.
 .
 It looks for active processes in many different ways. Processes found by
 some means but not others are considered to be "hidden", and are reported
 to the user. 
 .
 Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which
 is written in C. While being 10 times faster, it does not implement all the
 diagnostics implemented in the original version.
 .
 This package can be used by rkhunter in its daily scans.

I have tried not to mention Unhide too much, and remain as objective as
possible.

What do you think of it?

Cheers,
Julien

[0] http://freshmeat.net/projects/unhiderb

-- 
  .''`.   Julien Valroff ~ <julien at kirya.net> ~ <julien at debian.org>    
 : :'  :  Debian Developer & Free software contributor
 `. `'`   http://www.kirya.net/
   `-     4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1

More information about the forensics-devel mailing list