OpenVZ Forum


Home » General » Support » "hidden processes" in OpenVZ
Re: "hidden processes" in OpenVZ [message #23645 is a reply to message #23632] Wed, 21 November 2007 12:53 Go to previous messageGo to previous message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
As you know each process has a directory on proc filesystem:
/proc/<pid>/...

Usually /proc/<pid> are visible by any filesystem system calls. "Hidden" pids are not visible directly -- for example readdir() system call does not show it. However some other system calls still can use this pid: for exmaple you can change directory to "hidden" or something else. (I would note -- it is not usual "cd" shell command, but syscall chdir() used by chkproc).

Procfs -- is virtual filesystem, its content created by kernel an the fly and even root is not able to change its content. On the other hand root is able to load some kernel modules that will change kernel code and by this way will be able to change proc output too. Some rootkits uses this ability and changes kernel code to make itself invisible.

That's why chkrootkit tries detect these "invisible" processes by using some unusual ways. Such "hidden" processes really looks suspect.

Unfortunately our "system" pids are visible inside VE for some system call, chkrootkit is able to detect it and report about suspected pids.

However nobody inside VE hav permissions to load kernel modules, and therefore any rootkits inside VE are not able to make the processes "hidden".

thank you,
Vasily Averin

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Quota on syscall for File exists
Next Topic: New Kernel 2.6.24 out
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Mon Sep 08 20:18:11 GMT 2025

Total time taken to generate the page: 0.09691 seconds
Powered by FUDforum Powered by Virtuozzo Containers