OpenVZ Forum: Support » "hidden processes" in OpenVZ

Home » General » Support » "hidden processes" in OpenVZ

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: "hidden processes" in OpenVZ [message #23645 is a reply to message #23632]

Wed, 21 November 2007 12:53

vaverin
Messages: 708
Registered: September 2005

Senior Member

As you know each process has a directory on proc filesystem:
/proc/<pid>/...

Usually /proc/<pid> are visible by any filesystem system calls. "Hidden" pids are not visible directly -- for example readdir() system call does not show it. However some other system calls still can use this pid: for exmaple you can change directory to "hidden" or something else. (I would note -- it is not usual "cd" shell command, but syscall chdir() used by chkproc).

Procfs -- is virtual filesystem, its content created by kernel an the fly and even root is not able to change its content. On the other hand root is able to load some kernel modules that will change kernel code and by this way will be able to change proc output too. Some rootkits uses this ability and changes kernel code to make itself invisible.

That's why chkrootkit tries detect these "invisible" processes by using some unusual ways. Such "hidden" processes really looks suspect.

Unfortunately our "system" pids are visible inside VE for some system call, chkrootkit is able to detect it and report about suspected pids.

However nobody inside VE hav permissions to load kernel modules, and therefore any rootkits inside VE are not able to make the processes "hidden".

thank you,
Vasily Averin

Report message to a moderator

[Message index]

		"hidden processes" in OpenVZ By: floogy on Sun, 18 November 2007 14:11
		Re: "hidden processes" in OpenVZ By: vaverin on Tue, 20 November 2007 10:43
		Re: "hidden processes" in OpenVZ By: floogy on Tue, 20 November 2007 12:59
		Re: "hidden processes" in OpenVZ By: vaverin on Tue, 20 November 2007 13:56
		Re: "hidden processes" in OpenVZ By: floogy on Tue, 20 November 2007 14:03
		Re: "hidden processes" in OpenVZ By: vaverin on Tue, 20 November 2007 14:17
		Re: "hidden processes" in OpenVZ By: floogy on Tue, 20 November 2007 14:24
		Re: "hidden processes" in OpenVZ By: floogy on Tue, 20 November 2007 21:11
		Re: "hidden processes" in OpenVZ By: vaverin on Wed, 21 November 2007 05:18
		Re: "hidden processes" in OpenVZ By: vaverin on Wed, 21 November 2007 06:01
		Re: "hidden processes" in OpenVZ By: vaverin on Wed, 21 November 2007 06:50
		Re: "hidden processes" in OpenVZ By: floogy on Wed, 21 November 2007 10:22
		Re: "hidden processes" in OpenVZ By: vaverin on Wed, 21 November 2007 12:53
		Re: "hidden processes" in OpenVZ By: dev on Thu, 06 March 2008 20:48
		Re: "hidden processes" in OpenVZ By: sara3 on Fri, 07 March 2008 12:26
		Re: "hidden processes" in OpenVZ By: dev on Fri, 07 March 2008 13:16

Previous Topic:	Quota on syscall for File exists
Next Topic:	New Kernel 2.6.24 out

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sun Aug 11 12:37:35 GMT 2024

Total time taken to generate the page: 0.04515 seconds