OpenVZ Forum


Home » General » Support » "hidden processes" in OpenVZ
Re: "hidden processes" in OpenVZ [message #23610 is a reply to message #23608] Wed, 21 November 2007 06:01 Go to previous messageGo to previous message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
I would note that you cannot make process "hidden" from userspace. It can be done from kernel-space only, i.e. by using loadable kernel modules.
However nobody inside VE have such permissions, nobody is able to load any kernel modules from inside VE, only HW-node admin is able to do it.

Therefore "hidden" proccesses detected inside VE is not mean that your VE has been hacked. All that yo can do is just report to HW-node admin and he can check your "hidden" pids.

However you can make some checks inside VE too. Usually "virtual" pids visible inside VE = "system" Pid + 1024 (i.e bit 10 is used to mark pid as Virtual). Therefore if you found "hidden" pid with this number, it makes sense to search according "virtual" pid inside VE.

Of course we'll make "system" pids to be more "invisible" inside VE -- to prevent chkrootkit's false alerts.

Thank you,
Vasily Averin

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Quota on syscall for File exists
Next Topic: New Kernel 2.6.24 out
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Thu Apr 16 04:18:46 GMT 2026

Total time taken to generate the page: 0.32562 seconds
Powered by FUDforum Powered by Virtuozzo Containers