About Unhide.rb

Yago Jesus yjesus at security-projects.com
Sun Oct 23 17:59:00 UTC 2011


Hi Julian (and all Debian Forensics team)

First, I want to thank you for your quick response.

I like the new description but, I have a doubt.

Why 10 times faster? Who made this test? Is always 10x faster? is it
in both 32 and 64 bits enviroments?

Im agree Unhide.rb is faster (due to the less deep tests) but I don't
know exactly how much.

Moreover if you want to highlight this feature I think it is also fair
to highlight  the question about static binaries VS non static Ruby
Binary.

With a security point of view, I think the fact that Unhide should be
compiled and shipped in static mode makes Unhide inmune to the most
popular rootkits (based in LD_PRELOAD). On the other hand Unhide.rb
due to their Ruby dependency could be compromised. So, yes Unhide is
more secure than Unhide.rb

I understand your perspective about reporting. Unhide.rb is more
compact but I think it is more important the fact about finding the
exact hidden command (and in some scenarios, the path where
rogue-binary lives) But it is subjective

2011/10/23 Julien Valroff <julien at debian.org>:
> Hi Yago,
>
> Le samedi 22 oct. 2011 à 18:53:35 (+0200 CEST), Yago Jesus a écrit :
>> Hi,
>>
>> I am writting you because you are shown as maintainer of Unhide.rb in
>> Debian.
>
> That's right, but I maintain it within a packaging team called Debian
> Forensics, and we also take care of Unhide.
>
>> Im the author of Unhide (the original project
>> http://www.unhide-forensics.info) and I think the current description
>> of Unhide.rb is wrong, makes false assumptions and give to users
>> untruthful information.
>>
>> It is also false that Unhide.rb make the same tests than Unhide sys /
>> proc and is false that make better reports too.
>
> Well, according to my experience, it is not always the case.
>
> unhide output:
>    HIDDEN Processes Found: 1       sysinfo.procs = 351   ps_count = 353
>
> unhide.rb output:
>    Scanning for hidden processes...
>    ps and sysinfo() process count mismatch:
>      ps: 353 processes
>      sysinfo(): 352 processes
>    Suspicious PID 17923:
>      Not seen by ps
>      Seen by /proc
>      Seen by /proc tasks
>      Seen by getsid()
>      Seen by getpgid()
>      Seen by getpriority()
>      Seen by sched_getparam()
>      Seen by sched_getaffinity()
>      Seen by sched_getscheduler()
>      Seen by sched_rr_get_interval()
>
> In that particular case, unhide.rb output is more helpful but I agree that
> might not always be the case.
>
>> You can see a mail that I have sent to RKhunter's list where I give my
>> explanations in deep about this
>> https://sourceforge.net/mailarchive/forum.php?thread_name=CAMy7eXy8WFop-x4Ei7%2BtYjoy7_o5UDSfBSx59RB0Vj0tZ8Hp4Q%40mail.gmail.com&forum_name=rkhunter-users
>>
>> I think the real description should be: a lite reimplementation, less
>> secure by design, less accurate version of Unhide.
>
> While I do understand your point, I don't think this this description would
> add valuable information to the user.
>
> The goal of the package descriptions is to be as objective as possible so
> that sysadmins can make their own choice.
>
> I would propose to amend the unhide.rb package description as follows,
> inspired by the description found on freshmeat [0]:
>  Unhide.rb is a forensic tool to find processes hidden by rootkits.
>  .
>  It looks for active processes in many different ways. Processes found by
>  some means but not others are considered to be "hidden", and are reported
>  to the user.
>  .
>  Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which
>  is written in C. While being 10 times faster, it does not implement all the
>  diagnostics implemented in the original version.
>  .
>  This package can be used by rkhunter in its daily scans.
>
> I have tried not to mention Unhide too much, and remain as objective as
> possible.
>
> What do you think of it?
>
> Cheers,
> Julien
>
> [0] http://freshmeat.net/projects/unhiderb
>
> --
>  .''`.   Julien Valroff ~ <julien at kirya.net> ~ <julien at debian.org>
>  : :'  :  Debian Developer & Free software contributor
>  `. `'`   http://www.kirya.net/
>   `-     4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1
>



More information about the forensics-devel mailing list