The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is - 33 process hidden for ps command

Discussion in 'General Discussion' started by xphost, Sep 16, 2004.

  1. xphost

    xphost Well-Known Member

    Joined:
    Nov 12, 2003
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    why so much hidden processes?

    system RH9.0 + WHM last current

    root@serv1 [/chkrootkit-0.44]# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###
    PID 6593: not in ps output
    CWD 6593: /usr/local/cpanel/var/run/stunnel
    EXE 6593: /usr/bin/stunnel-4.04local
    PID 15794: not in ps output
    CWD 15794: /var/named
    EXE 15794: /usr/sbin/named
    PID 15797: not in ps output
    CWD 15797: /var/named
    EXE 15797: /usr/sbin/named
    PID 15798: not in ps output
    CWD 15798: /var/named
    EXE 15798: /usr/sbin/named
    PID 15799: not in ps output
    CWD 15799: /var/named
    EXE 15799: /usr/sbin/named
    PID 15910: not in ps output
    CWD 15910: /var/lib/mysql
    EXE 15910: /usr/sbin/mysqld
    PID 15911: not in ps output
    CWD 15911: /var/lib/mysql
    EXE 15911: /usr/sbin/mysqld
    PID 15912: not in ps output
    CWD 15912: /var/lib/mysql
    EXE 15912: /usr/sbin/mysqld
    PID 15913: not in ps output
    CWD 15913: /var/lib/mysql
    EXE 15913: /usr/sbin/mysqld
    PID 15914: not in ps output
    CWD 15914: /var/lib/mysql
    EXE 15914: /usr/sbin/mysqld
    PID 15923: not in ps output
    CWD 15923: /var/lib/mysql
    EXE 15923: /usr/sbin/mysqld
    PID 15924: not in ps output
    CWD 15924: /var/lib/mysql
    EXE 15924: /usr/sbin/mysqld
    PID 15925: not in ps output
    CWD 15925: /var/lib/mysql
    EXE 15925: /usr/sbin/mysqld
    PID 15926: not in ps output
    CWD 15926: /var/lib/mysql
    EXE 15926: /usr/sbin/mysqld
    PID 15927: not in ps output
    CWD 15927: /var/lib/mysql
    EXE 15927: /usr/sbin/mysqld
    PID 15928: not in ps output
    CWD 15928: /var/lib/mysql
    EXE 15928: /usr/sbin/mysqld
    PID 15929: not in ps output
    CWD 15929: /var/lib/mysql
    EXE 15929: /usr/sbin/mysqld
    PID 15930: not in ps output
    CWD 15930: /var/lib/mysql
    EXE 15930: /usr/sbin/mysqld
    PID 15931: not in ps output
    CWD 15931: /var/lib/mysql
    EXE 15931: /usr/sbin/mysqld
    PID 15936: not in ps output
    CWD 15936: /var/lib/mysql
    EXE 15936: /usr/sbin/mysqld
    PID 15937: not in ps output
    CWD 15937: /var/lib/mysql
    EXE 15937: /usr/sbin/mysqld
    PID 16145: not in ps output
    CWD 16145: /var/lib/mysql
    EXE 16145: /usr/sbin/mysqld
    PID 16399: not in ps output
    CWD 16399: /var/lib/mysql
    EXE 16399: /usr/sbin/mysqld
    PID 16620: not in ps output
    CWD 16620: /var/lib/mysql
    EXE 16620: /usr/sbin/mysqld
    PID 16648: not in ps output
    CWD 16648: /var/lib/mysql
    EXE 16648: /usr/sbin/mysqld
    PID 16884: not in ps output
    CWD 16884: /var/lib/mysql
    EXE 16884: /usr/sbin/mysqld
    PID 16946: not in ps output
    CWD 16946: /var/lib/mysql
    EXE 16946: /usr/sbin/mysqld
    PID 16964: not in ps output
    CWD 16964: /var/lib/mysql
    EXE 16964: /usr/sbin/mysqld
    PID 16965: not in ps output
    CWD 16965: /var/lib/mysql
    EXE 16965: /usr/sbin/mysqld
    PID 17922: not in ps output
    CWD 17922: /var/lib/mysql
    EXE 17922: /usr/sbin/mysqld
    PID 18015: not in ps output
    CWD 18015: /var/lib/mysql
    EXE 18015: /usr/sbin/mysqld
    PID 18118: not in ps output
    CWD 18118: /var/lib/mysql
    EXE 18118: /usr/sbin/mysqld
    PID 18193: not in ps output
    CWD 18193: /var/lib/mysql
    EXE 18193: /usr/sbin/mysqld
    You have 33 process hidden for ps command
     
    #1 xphost, Sep 16, 2004
    Last edited: Sep 16, 2004
  2. xphost

    xphost Well-Known Member

    Joined:
    Nov 12, 2003
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    on my another RH9 server chkrootkit-0.44 found 52 hidden processes

    Checking `lkm'... You have 52 process hidden for ps command
    Warning: Possible LKM Trojan installed

    root@serv3 [/chkrootkit-0.44]# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###
    726 is a Linux Thread, marking as such...
    727 is a Linux Thread, marking as such...
    728 is a Linux Thread, marking as such...
    PID 17957: not in ps output
    CWD 17957: /var/lib/mysql
    EXE 17957: /usr/sbin/mysqld
    PID 17958: not in ps output
    CWD 17958: /var/lib/mysql
    EXE 17958: /usr/sbin/mysqld
    PID 17960: not in ps output
    CWD 17960: /var/lib/mysql
    EXE 17960: /usr/sbin/mysqld
    PID 17961: not in ps output
    CWD 17961: /var/lib/mysql
    EXE 17961: /usr/sbin/mysqld
    PID 17963: not in ps output
    CWD 17963: /var/lib/mysql
    EXE 17963: /usr/sbin/mysqld
    PID 17964: not in ps output
    CWD 17964: /var/lib/mysql
    EXE 17964: /usr/sbin/mysqld
    PID 17967: not in ps output
    CWD 17967: /var/lib/mysql
    EXE 17967: /usr/sbin/mysqld
    PID 18012: not in ps output
    CWD 18012: /var/lib/mysql
    EXE 18012: /usr/sbin/mysqld
    PID 18051: not in ps output
    CWD 18051: /var/lib/mysql
    EXE 18051: /usr/sbin/mysqld
    PID 18054: not in ps output
    CWD 18054: /var/lib/mysql
    EXE 18054: /usr/sbin/mysqld
    PID 18120: not in ps output
    CWD 18120: /var/lib/mysql
    EXE 18120: /usr/sbin/mysqld
    PID 18280: not in ps output
    CWD 18280: /var/lib/mysql
    EXE 18280: /usr/sbin/mysqld
    PID 18300: not in ps output
    CWD 18300: /var/lib/mysql
    EXE 18300: /usr/sbin/mysqld
    PID 18392: not in ps output
    CWD 18392: /var/lib/mysql
    EXE 18392: /usr/sbin/mysqld
    PID 18404: not in ps output
    CWD 18404: /var/lib/mysql
    EXE 18404: /usr/sbin/mysqld
    PID 18405: not in ps output
    CWD 18405: /var/lib/mysql
    EXE 18405: /usr/sbin/mysqld
    PID 18442: not in ps output
    CWD 18442: /var/lib/mysql
    EXE 18442: /usr/sbin/mysqld
    PID 18587: not in ps output
    CWD 18587: /var/lib/mysql
    EXE 18587: /usr/sbin/mysqld
    PID 18588: not in ps output
    CWD 18588: /var/lib/mysql
    EXE 18588: /usr/sbin/mysqld
    PID 18589: not in ps output
    CWD 18589: /var/lib/mysql
    EXE 18589: /usr/sbin/mysqld
    PID 18590: not in ps output
    CWD 18590: /var/lib/mysql
    EXE 18590: /usr/sbin/mysqld
    PID 18591: not in ps output
    CWD 18591: /var/lib/mysql
    EXE 18591: /usr/sbin/mysqld
    PID 18785: not in ps output
    CWD 18785: /var/lib/mysql
    EXE 18785: /usr/sbin/mysqld
    PID 19170: not in ps output
    CWD 19170: /var/lib/mysql
    EXE 19170: /usr/sbin/mysqld
    PID 19171: not in ps output
    CWD 19171: /var/lib/mysql
    EXE 19171: /usr/sbin/mysqld
    PID 19172: not in ps output
    CWD 19172: /var/lib/mysql
    EXE 19172: /usr/sbin/mysqld
    PID 19972: not in ps output
    CWD 19972: /var/lib/mysql
    EXE 19972: /usr/sbin/mysqld
    PID 20323: not in ps output
    CWD 20323: /var/lib/mysql
    EXE 20323: /usr/sbin/mysqld
    PID 20359: not in ps output
    CWD 20359: /var/lib/mysql
    EXE 20359: /usr/sbin/mysqld
    PID 20361: not in ps output
    CWD 20361: /var/lib/mysql
    EXE 20361: /usr/sbin/mysqld
    PID 20387: not in ps output
    CWD 20387: /var/lib/mysql
    EXE 20387: /usr/sbin/mysqld
    PID 20416: not in ps output
    CWD 20416: /var/lib/mysql
    EXE 20416: /usr/sbin/mysqld
    PID 20417: not in ps output
    CWD 20417: /var/lib/mysql
    EXE 20417: /usr/sbin/mysqld
    PID 20581: not in ps output
    CWD 20581: /var/lib/mysql
    EXE 20581: /usr/sbin/mysqld
    PID 20613: not in ps output
    CWD 20613: /var/lib/mysql
    EXE 20613: /usr/sbin/mysqld
    PID 20632: not in ps output
    CWD 20632: /var/lib/mysql
    EXE 20632: /usr/sbin/mysqld
    PID 20633: not in ps output
    CWD 20633: /var/lib/mysql
    EXE 20633: /usr/sbin/mysqld
    PID 20654: not in ps output
    CWD 20654: /var/lib/mysql
    EXE 20654: /usr/sbin/mysqld
    PID 20655: not in ps output
    CWD 20655: /var/lib/mysql
    EXE 20655: /usr/sbin/mysqld
    PID 20656: not in ps output
    CWD 20656: /var/lib/mysql
    EXE 20656: /usr/sbin/mysqld
    PID 20670: not in ps output
    CWD 20670: /var/lib/mysql
    EXE 20670: /usr/sbin/mysqld
    PID 20673: not in ps output
    CWD 20673: /var/lib/mysql
    EXE 20673: /usr/sbin/mysqld
    PID 20737: not in ps output
    CWD 20737: /var/lib/mysql
    EXE 20737: /usr/sbin/mysqld
    PID 20738: not in ps output
    CWD 20738: /var/lib/mysql
    EXE 20738: /usr/sbin/mysqld
    PID 20770: not in ps output
    CWD 20770: /var/lib/mysql
    EXE 20770: /usr/sbin/mysqld
    PID 20861: not in ps output
    CWD 20861: /var/lib/mysql
    EXE 20861: /usr/sbin/mysqld
    PID 20862: not in ps output
    CWD 20862: /var/lib/mysql
    EXE 20862: /usr/sbin/mysqld
    PID 20863: not in ps output
    CWD 20863: /var/lib/mysql
    EXE 20863: /usr/sbin/mysqld
    PID 21506: not in ps output
    CWD 21506: /var/lib/mysql
    EXE 21506: /usr/sbin/mysqld
    PID 21507: not in ps output
    CWD 21507: /var/lib/mysql
    EXE 21507: /usr/sbin/mysqld
    PID 21508: not in ps output
    CWD 21508: /var/lib/mysql
    EXE 21508: /usr/sbin/mysqld
    PID 21509: not in ps output
    CWD 21509: /var/lib/mysql
    EXE 21509: /usr/sbin/mysqld
    You have 52 process hidden for ps command
     
  3. xphost

    xphost Well-Known Member

    Joined:
    Nov 12, 2003
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    i found on

    http://www.wiggy.net/debian/developer-securing/

    The lkm check is known to produce false positives for NPTL kernels (2.6 kernels or 2.4 with NPTL patches). Common multithreaded programs which will show this behaviour are slapd, mozilla and apache2 if you use one of its threading MPMs.
    The lkm check is known to fail on really slow machines. As processess start up and exit, it thinks they are hidden.
     
Loading...

Share This Page