Willkommen Gast. Bitte einloggen oder registrieren. Haben Sie Ihre Aktivierungs E-Mail übersehen?
20.04.2021, 07:17:06

.
Einloggen mit Benutzername, Passwort und Sitzungslänge

Mitglieder
Statistiken
  • Beiträge insgesamt: 729909
  • Themen insgesamt: 58881
  • Heute online: 356
  • Am meisten online: 2287
  • (22.01.2020, 19:20:24)
Benutzer Online

Autor Thema: [gelöst]  Einschätzung unhide-Ergebnis  (Gelesen 551 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

[gelöst] Einschätzung unhide-Ergebnis
« am: 10.10.2020, 14:17:47 »
Guten Tag

Habe mal mehrere Male sudo unhide brute -d durchlaufen lassen auf meinem PC, wäre schön wenn mir bitte jemand eine Einschätzung der Ergebnisse geben könnte, die Ergebnisse der Durchläufe sind unterschiedlich, mal findet er HIDDEN PID's dann wieder garnichts, was muss/kann ich davon halten bitte ?
(Durchlauf mit chkrootkit könnte ich auch noch beibringen)

Erstmal mein PC:
System:    Kernel: 5.4.0-48-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 Desktop: MATE 1.24.0
           wm: marco dm: LightDM Distro: Linux Mint 20 Ulyana base: Ubuntu 20.04 focal
Machine:   Type: Desktop Mobo: MSI model: A78M-E35 (MS-7721) v: 6.0 serial: <filter>
           BIOS: American Megatrends v: 30.3 date: 03/14/2014
CPU:       Topology: Dual Core model: AMD A4-5300 APU with Radeon HD Graphics bits: 64 type: MCP
           arch: Piledriver rev: 1 L2 cache: 1024 KiB
           flags: avx lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 13575
           Speed: 3593 MHz min/max: 1400/3400 MHz Core speeds (MHz): 1: 3580 2: 2987
Graphics:  Device-1: NVIDIA GK208B [GeForce GT 710] vendor: Gigabyte driver: nouveau v: kernel
           bus ID: 01:00.0 chip ID: 10de:128b
           Display: x11 server: X.Org 1.20.8 driver: modesetting unloaded: fbdev,vesa
           compositor: marco resolution: 1920x1080~60Hz
           OpenGL: renderer: NV106 v: 4.3 Mesa 20.0.8 direct render: Yes
Audio:     Device-1: AMD FCH Azalia vendor: Micro-Star MSI driver: snd_hda_intel v: kernel
           bus ID: 00:14.2 chip ID: 1022:780d
           Device-2: NVIDIA GK208 HDMI/DP Audio vendor: Gigabyte driver: snd_hda_intel v: kernel
           bus ID: 01:00.1 chip ID: 10de:0e0f
           Sound Server: ALSA v: k5.4.0-48-generic
Network:   Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet vendor: Micro-Star MSI
           driver: r8169 v: kernel port: d000 bus ID: 02:00.0 chip ID: 10ec:8168
           IF: enp2s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Drives:    Local Storage: total: 1.13 TiB used: 13.01 GiB (1.1%)
           ID-1: /dev/sda vendor: Crucial model: CT240BX500SSD1 size: 223.57 GiB speed: 6.0 Gb/s
           serial: <filter>
           ID-2: /dev/sdb vendor: Seagate model: ST1000DM003-1CH162 size: 931.51 GiB
           speed: 6.0 Gb/s serial: <filter>
Partition: ID-1: / size: 45.58 GiB used: 10.98 GiB (24.1%) fs: ext4 dev: /dev/sda6
           ID-2: /boot size: 4.63 GiB used: 220.7 MiB (4.6%) fs: ext4 dev: /dev/sda1
           ID-3: /home size: 45.58 GiB used: 1.81 GiB (4.0%) fs: ext4 dev: /dev/sda7
           ID-4: swap-1 size: 4.77 GiB used: 7.2 MiB (0.1%) fs: swap dev: /dev/sda5
USB:       Hub: 1-0:1 info: Full speed (or root) Hub ports: 5 rev: 2.0 chip ID: 1d6b:0002
           Hub: 2-0:1 info: Full speed (or root) Hub ports: 5 rev: 2.0 chip ID: 1d6b:0002
           Hub: 3-0:1 info: Full speed (or root) Hub ports: 5 rev: 1.1 chip ID: 1d6b:0001
           Hub: 4-0:1 info: Full speed (or root) Hub ports: 5 rev: 1.1 chip ID: 1d6b:0001
           Device-1: 4-1:2 info: Logitech M105 Optical Mouse type: Mouse
           driver: hid-generic,usbhid rev: 2.0 chip ID: 046d:c077
           Hub: 5-0:1 info: Full speed (or root) Hub ports: 2 rev: 1.1 chip ID: 1d6b:0001
           Hub: 6-0:1 info: Full speed (or root) Hub ports: 2 rev: 2.0 chip ID: 1d6b:0002
           Hub: 7-0:1 info: Full speed (or root) Hub ports: 2 rev: 3.0 chip ID: 1d6b:0003
           Hub: 8-0:1 info: Full speed (or root) Hub ports: 2 rev: 2.0 chip ID: 1d6b:0002
           Hub: 9-0:1 info: Full speed (or root) Hub ports: 2 rev: 3.0 chip ID: 1d6b:0003
Sensors:   System Temperatures: cpu: 25.2 C mobo: N/A gpu: nouveau temp: 40 C
           Fan Speeds (RPM): N/A gpu: nouveau fan: 2460
Repos:     No active apt repos in: /etc/apt/sources.list
           Active apt repos in: /etc/apt/sources.list.d/official-package-repositories.list
           1: deb http: //ftp-stud.hs-esslingen.de/pub/Mirrors/packages.linuxmint.com ulyana main upstream import backport
           2: deb http: //ftp-stud.hs-esslingen.de/ubuntu focal main restricted universe multiverse
           3: deb http: //ftp-stud.hs-esslingen.de/ubuntu focal-updates main restricted universe multiverse
           4: deb http: //ftp-stud.hs-esslingen.de/ubuntu focal-backports main restricted universe multiverse
           5: deb http: //security.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
           6: deb http: //archive.canonical.com/ubuntu/ focal partner
Info:      Processes: 184 Uptime: 4h 30m Memory: 3.85 GiB used: 1.42 GiB (36.9%) Init: systemd
           v: 245 runlevel: 5 Compilers: gcc: 9.3.0 alt: 9 Client: Unknown python3.8 client
           inxi: 3.0.38


Die unhide-Durchläufe:
xxxx@xxxx-xx-xxxx:~$ sudo unhide brute -d
[sudo] Passwort für xxxx:             
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options: brutesimplecheck
Starting scanning using brute force against PIDS with fork()

Found HIDDEN PID: 2220593
   Cmdline: "<none>"
   Executable: "<no link>"
   "<none>  ... maybe a transitory process"

Starting scanning using brute force against PIDS with pthread functions



xxxx@xxxx-xx-xxxx:~$ sudo unhide brute -d
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options: brutesimplecheck
Starting scanning using brute force against PIDS with fork()

Found HIDDEN PID: 241785
   Cmdline: "<none>"
   Executable: "<no link>"
   "<none>  ... maybe a transitory process"

Found HIDDEN PID: 241936
   Cmdline: "<none>"
   Executable: "<no link>"
   "<none>  ... maybe a transitory process"

Found HIDDEN PID: 1397743
   Cmdline: "<none>"
   Executable: "<no link>"
   "<none>  ... maybe a transitory process"

Starting scanning using brute force against PIDS with pthread functions

Found HIDDEN PID: 199484
   Cmdline: "<none>"
   Executable: "<no link>"
   "<none>  ... maybe a transitory process"

xxxx@xxxx-xx-xxxx:~$


xxxx@xxxxk-xx-xxxx:~$ sudo unhide -d
[sudo] Passwort für xxxx:             
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options: brutesimplecheck
xxxx@xxxx-xx-xxxx:~$ sudo unhide brute -d
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options: brutesimplecheck
Starting scanning using brute force against PIDS with fork()Starting scanning using brute force against PIDS with pthread functionsxxxx@xxxx-xx-xxxx:~$
Vielen Dank
allerich



[MOD: Codeblöcke ergänzt. Bitte formatiere nicht fett, sondern als Codeblock (#).]
« Letzte Änderung: 04.12.2020, 18:23:12 von allerich »

thebookkeeper

  • aka AnanasDampf
  • *****
Re: Einschätzung unhide-Ergebnis
« Antwort #1 am: 03.12.2020, 01:26:33 »
Benutze lieber den Standard-Befehl, dann bekommst Du keine False-Positive:
thebookkeeper@Dell-DV051:~$ sudo unhide sys proc
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options:
[*]Searching for Hidden processes through /proc stat scanning

[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval() scanning

[*]Searching for Hidden processes through kill(..,0) scanning

[*]Searching for Hidden processes through  comparison of results of system calls

thebookkeeper@Dell-DV051:~$

Re: Einschätzung unhide-Ergebnis
« Antwort #2 am: 04.12.2020, 18:18:16 »
Hallo
Danke für den Hinweis, war Anlass nochmal genauer nachzulesen über unhide. Bis jetzt dachte ich der Parameter brute -d wäre hier der 'beste' Suchparameter, danke für die Richtigstellung !!!
Gruss allerich
 

Re: [gelöst] Einschätzung unhide-Ergebnis
« Antwort #3 am: 04.12.2020, 18:21:25 »
gruss allerich