Linux Mint Forums

[slingshot]

Hi,

Finally I managed to set up my computer the way I want it but:

unhide sys finds hidden processes

unhide sys
Unhide 20110113
http://www.unhide-forensics.info
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls

Found HIDDEN PID: 1 Command: "/sbin/init"
Found HIDDEN PID: 2 Wchan: "[kthreadd]"
Found HIDDEN PID: 3 Wchan: "[run_ksoftirqd]"
Found HIDDEN PID: 4 Wchan: "[worker_thread]"
Found HIDDEN PID: 5 Wchan: "[worker_thread]"
Found HIDDEN PID: 6 Wchan: "[cpu_stopper_thread]"
Found HIDDEN PID: 7 Wchan: "[watchdog]"
Found HIDDEN PID: 8 Wchan: "[cpu_stopper_thread]"
Found HIDDEN PID: 9 Wchan: "[worker_thread]"
Found HIDDEN PID: 10 Wchan: "[run_ksoftirqd]"
Found HIDDEN PID: 11 Wchan: "[watchdog]"
Found HIDDEN PID: 12 Wchan: "[cpu_stopper_thread]"
Found HIDDEN PID: 13 Wchan: "[worker_thread]"
Found HIDDEN PID: 14 Wchan: "[run_ksoftirqd]"
Found HIDDEN PID: 15 Wchan: "[watchdog]"
Found HIDDEN PID: 16 Wchan: "[cpu_stopper_thread]"
Found HIDDEN PID: 17 Wchan: "[worker_thread]"
Found HIDDEN PID: 18 Wchan: "[run_ksoftirqd]"
Found HIDDEN PID: 19 Wchan: "[watchdog]"
Found HIDDEN PID: 20 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 21 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 22 Wchan: "[devtmpfsd]"
Found HIDDEN PID: 23 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 24 Wchan: "[worker_thread]"
Found HIDDEN PID: 25 Wchan: "[bdi_sync_supers]"
Found HIDDEN PID: 26 Wchan: "[bdi_forker_thread]"
Found HIDDEN PID: 27 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 28 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 29 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 30 Wchan: "[hub_thread]"
Found HIDDEN PID: 31 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 32 Wchan: "[worker_thread]"
Found HIDDEN PID: 34 Wchan: "[watchdog]"
Found HIDDEN PID: 35 Wchan: "[kswapd]"
Found HIDDEN PID: 36 Wchan: "[ksm_scan_thread]"
Found HIDDEN PID: 37 Wchan: "[khugepaged_loop]"
Found HIDDEN PID: 38 Wchan: "[fsnotify_mark_destroy]"
Found HIDDEN PID: 39 Wchan: "[ecryptfs_threadfn]"
Found HIDDEN PID: 40 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 49 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 51 Wchan: "[worker_thread]"
Found HIDDEN PID: 52 Wchan: "[worker_thread]"
Found HIDDEN PID: 53 Wchan: "[scsi_error_handler]"
Found HIDDEN PID: 54 Wchan: "[scsi_error_handler]"
Found HIDDEN PID: 55 Wchan: "[scsi_error_handler]"
Found HIDDEN PID: 56 Wchan: "[scsi_error_handler]"
Found HIDDEN PID: 57 Wchan: "[worker_thread]"
Found HIDDEN PID: 58 Wchan: "[worker_thread]"
Found HIDDEN PID: 59 Wchan: "[worker_thread]"
Found HIDDEN PID: 60 Wchan: "[worker_thread]"
Found HIDDEN PID: 61 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 62 Wchan: "[worker_thread]"
Found HIDDEN PID: 81 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 82 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 83 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 84 Wchan: "[worker_thread]"
Found HIDDEN PID: 263 Wchan: "[kjournald2]"
Found HIDDEN PID: 264 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 460 Command: "upstart-udev-bridge"
Found HIDDEN PID: 476 Command: "/sbin/udevd"
Found HIDDEN PID: 485 Command: "dbus-daemon"
Found HIDDEN PID: 495 Command: "/usr/sbin/bluetoothd"
Found HIDDEN PID: 514 Command: "rsyslogd"
Found HIDDEN PID: 519 Wchan: "[irq_thread]"
Found HIDDEN PID: 521 Wchan: "[rfcomm_run]"
Found HIDDEN PID: 531 Command: "avahi-daemon: running [kristian-K2.local]"
Found HIDDEN PID: 532 Command: "avahi-daemon: chroot helper"
Found HIDDEN PID: 562 Command: "rsyslogd"
Found HIDDEN PID: 609 Command: "/usr/sbin/cupsd"
Found HIDDEN PID: 610 Command: "rsyslogd"
Found HIDDEN PID: 611 Command: "rsyslogd"
Found HIDDEN PID: 624 Command: "/sbin/udevd"
Found HIDDEN PID: 625 Command: "/sbin/udevd"
Found HIDDEN PID: 646 Command: "/usr/lib/x86_64-linux-gnu/colord/colord"
Found HIDDEN PID: 666 Command: "/usr/lib/x86_64-linux-gnu/colord/colord"
Found HIDDEN PID: 671 Command: "/usr/lib/x86_64-linux-gnu/colord/colord"
Found HIDDEN PID: 703 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 739 Wchan: "[worker_thread]"
Found HIDDEN PID: 813 Command: "smbd"
Found HIDDEN PID: 892 Command: "/usr/sbin/modem-manager"
Found HIDDEN PID: 894 Command: "smbd"
Found HIDDEN PID: 914 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 922 Wchan: "[worker_thread]"
Found HIDDEN PID: 931 Command: "upstart-socket-bridge"
Found HIDDEN PID: 958 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 967 Wchan: "[ips_adjust]"
Found HIDDEN PID: 968 Wchan: "[ips_monitor]"
Found HIDDEN PID: 981 Wchan: "[rescuer_thread]"
Found HIDDEN PID: 1201 Command: "/sbin/getty"
Found HIDDEN PID: 1205 Command: "/sbin/getty"
Found HIDDEN PID: 1220 Command: "/sbin/getty"
Found HIDDEN PID: 1221 Command: "/sbin/getty"
Found HIDDEN PID: 1227 Command: "/sbin/getty"
Found HIDDEN PID: 1236 Command: "acpid"
Found HIDDEN PID: 1247 Command: "/usr/sbin/irqbalance"
Found HIDDEN PID: 1277 Command: "atd"
Found HIDDEN PID: 1278 Command: "cron"
Found HIDDEN PID: 1344 Command: "/usr/bin/freshclam"
Found HIDDEN PID: 1451 Command: "/usr/lib/postfix/master"
Found HIDDEN PID: 1484 Command: "/usr/bin/python"
Found HIDDEN PID: 1508 Command: "/usr/sbin/mdm"
Found HIDDEN PID: 1509 Command: "/usr/sbin/mdm"
Found HIDDEN PID: 1525 Command: "/usr/bin/python"
Found HIDDEN PID: 1552 Command: "/usr/bin/X"
Found HIDDEN PID: 1678 Wchan: "[bdi_writeback_thread]"
Found HIDDEN PID: 1694 Command: "/sbin/getty"
Found HIDDEN PID: 1709 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1710 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1711 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1712 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1713 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1714 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1715 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1716 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1717 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1718 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1719 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1720 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1721 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1722 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1723 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1724 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1725 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1726 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1727 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1728 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1729 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1730 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1731 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1732 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1733 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1734 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1735 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1736 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1737 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1738 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1739 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1740 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1741 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1742 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1743 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1744 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1745 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1746 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1747 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1748 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1749 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1750 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1751 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1752 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1753 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1754 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1755 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1756 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1757 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1758 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1759 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1760 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1761 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1762 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1763 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1764 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1765 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1766 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1767 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1768 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1769 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1770 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1771 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1773 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1774 Command: "/usr/sbin/console-kit-daemon"
Found HIDDEN PID: 1776 Command: "/usr/lib/policykit-1/polkitd"
Found HIDDEN PID: 1778 Command: "/usr/lib/policykit-1/polkitd"
Found HIDDEN PID: 1895 Command: "/usr/lib/upower/upowerd"
Found HIDDEN PID: 1896 Command: "/usr/lib/upower/upowerd"
Found HIDDEN PID: 1897 Command: "/usr/lib/upower/upowerd"
Found HIDDEN PID: 2054 Command: "/usr/lib/rtkit/rtkit-daemon"
Found HIDDEN PID: 2056 Command: "/usr/lib/accountsservice/accounts-daemon"
Found HIDDEN PID: 2057 Command: "/usr/lib/rtkit/rtkit-daemon"
Found HIDDEN PID: 2058 Command: "/usr/lib/rtkit/rtkit-daemon"
Found HIDDEN PID: 2060 Command: "/usr/lib/accountsservice/accounts-daemon"
Found HIDDEN PID: 2105 Command: "/usr/lib/udisks2/udisksd"
Found HIDDEN PID: 2106 Command: "/usr/lib/udisks2/udisksd"
Found HIDDEN PID: 2108 Command: "/usr/lib/udisks2/udisksd"
Found HIDDEN PID: 2113 Command: "/usr/lib/udisks2/udisksd"
Found HIDDEN PID: 2419 Wchan: "[worker_thread]"
Found HIDDEN PID: 2610 Command: "/usr/sbin/winbindd"
Found HIDDEN PID: 2612 Command: "nmbd"
Found HIDDEN PID: 2613 Command: "/usr/sbin/winbindd"
Found HIDDEN PID: 2627 Wchan: "[worker_thread]"
Found HIDDEN PID: 2628 Wchan: "[worker_thread]"
Found HIDDEN PID: 2629 Wchan: "[worker_thread]"
Found HIDDEN PID: 2711 Command: "pickup"
Found HIDDEN PID: 2712 Command: "qmgr"

[*]Searching for Hidden processes through sysinfo() scanning

HIDDEN Processes Found: 1 sysinfo.procs = 292 ps_count = 294

unhide brute gives this result:

unhide brute
Unhide 20110113
http://www.unhide-forensics.info
[*]Starting scanning using brute force against PIDS with fork()

Found HIDDEN PID: 17516 " ... maybe a transitory process"
Found HIDDEN PID: 17689 " ... maybe a transitory process"
Found HIDDEN PID: 17858 " ... maybe a transitory process"
[*]Starting scanning using brute force against PIDS with pthread functions

Found HIDDEN PID: 10021 " ... maybe a transitory process"
Found HIDDEN PID: 10022 " ... maybe a transitory process"

How should I deal with this? Is my computer compromised or is this just unhide making false outputs?

Any help will be appriciated!

[eanfrid]

Hello,

All I see in your log are false positives.

[slingshot]

Hi,

Thanks for your reply. I forgot to mention that I am running mint 14 64 bit.

The reason why I started looking into this was that a website blocked my IP address. I am living in an apartment building with a cable modem. It might not be a problem with my computer after all. I guess it could be a problem related to my ISP.

I ran chkrootkit as well an got this warning:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! kristian 2534 pts/0 /bin/bash
chkutmp: nothing deleted

How can I check if it is a problem with this file? I am uncertain how to interpret this.

Thanks again!

[eanfrid]

First, are you the user "kristian" ?
Second, a PTS is a pseudo-terminal opened by a remote connection as SSH or telnet.

So chkrootkit told you that "kristian" remotely opened a bash interpreter session via (probably) a ssh connection to your computer and maybe was still connected. If this is what you did yourself at this time, there is no concern. As you can guess, looking for malware and rootkit activity requires to be able to tell apart what is not chkrootkit and rkhunter alert you about what may be suspect and then can result in many false positives.

[slingshot]

Hello,

Thank you for taking the time to reply! yes, I am the user kristian

After some investigation I figured that this is all just false positives. Had a chance to check how chkrootkit/unhide reported back on a fresh install and it was the same as mentioned earlier. Did some checks og the logs as well and I could not find any issues there with my limited knowledge.

Wish you a happy new year!

Kristian