Author Topic: hiding processes  (Read 891 times)

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
hiding processes
« on: 7 December 2002, 21:37 »
My friend's web host runs linux (not sure which version) and they have it set up so that when you do ps, ps aux, or anything with commands that list processes, you can only view your own. I'm running redhat 7.3, is there any way i can set up something like this?

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
hiding processes
« Reply #1 on: 7 December 2002, 11:29 »
I've seen root kits that contain hacked "ps" and "top" commands so as to hide the skript kiddie processes. But hacking the commands are the only way I know of doing it with the stock Linux kernel. Maybe the SELinux kernel has this functionality...

Maybe they renamed the commands to something else and then wrote a script to grep out only the $LOGNAME processes (/bin/ps2 aux | grep "^$LOGNAME"). But that would be a pretty stupid way to do it.

Or maybe they've been 0wn3d and have a root kit installed.  

[ December 07, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
hiding processes
« Reply #2 on: 7 December 2002, 21:23 »
well i heard there was a way by changing some permissions in /proc but i didn't find any details anywhere. i've played around in there with little sucess.

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
hiding processes
« Reply #3 on: 7 December 2002, 23:14 »
quote:
Originally posted by Stryker:
well i heard there was a way by changing some permissions in /proc but i didn't find any details anywhere. i've played around in there with little sucess.


To be honest that is the first thing I thought of because I thought I had heard similar things way back when, but after searching I believed my memory was wrong. Then I thought I remembered something about setting the /lib/libproc* library to certain permissions and I think my memory was wrong on that as well. There is a system wide /etc/toprc where you can restrict top but it doesn't prevent you from looking at other peoples processes. Why don't you ask them? Now you've got me interested. My guess is a special hacked version of the procps tools.

Or the kernel was hacked so process directories were r-xr-x--- instead of r-xr-xr-x like they are by default under /proc.

[ December 07, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
hiding processes
« Reply #4 on: 8 December 2002, 07:35 »
well i saw it on a forum a long time ago. and the forum was dated 2 years before i saw it. asking wouldn't do much good. i'm thinking i'll probably take a look at the kernel's source code and see what goodies are in there. my first real attempt at reprogramming part of the kernel... (i'll probably brake it)

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
hiding processes
« Reply #5 on: 8 December 2002, 07:56 »
The uptime hack I just did to the kernel is probably  in the same area that you need. I added a kernel variable to /proc. The file I needed to modify was in "/usr/src/linux/kernel/sysctl.c". I might look around there too and see if I see anything. Most everything is set to a mode of "0644", wonder what would happen if you changed everything to "0640"?

[ December 07, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
hiding processes
« Reply #6 on: 8 December 2002, 08:40 »
quote:
Originally posted by void main:
The uptime hack I just did to the kernel is probably  in the same area that you need. I added a kernel variable to /proc. The file I needed to modify was in "/usr/src/linux/kernel/sysctl.c". I might look around there too and see if I see anything. Most everything is set to a mode of "0644", wonder what would happen if you changed everything to "0640"?

[ December 07, 2002: Message edited by: void main ]



is there a command to replace all of the 0644s to 0640s? or do i have to do it manually? (there are a lot of them)

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
hiding processes
« Reply #7 on: 8 December 2002, 08:45 »
In vim it would be:

:%s/0644/0640/g
Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
hiding processes
« Reply #8 on: 8 December 2002, 12:30 »
well i tired changing that stuff, i recompiled, and made the image and started it. it didn't seem to change anything. which leads me to think that the kernel's source may have bloat. (changing something should actually change something). i'll figure this thing you yet, just give me some time.

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
hiding processes
« Reply #9 on: 8 December 2002, 12:40 »
Did you do an "ls -l /proc" and compare differences in permissions? Also I don't believe that sysctl.c is the file that deals with the process directories under /proc, I think that might be sched.c or one of the others. But I'm an extreme novice when it comes to hacking the kernel. I just gave you that as a possible "close" location. Oh, and that in no way is an indicator of bloat. Maybe you should ask Linus or Alan what needs to be modified.  

[ December 08, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
hiding processes
« Reply #10 on: 8 December 2002, 12:47 »
quote:
Originally posted by void main:
Did you do an "ls -l /proc" and compare differences in permissions? Also I don't believe that sysctl.c is the file that deals with the process directories under /proc, I think that might be sched.c or one of the others. But I'm an extreme novice when it comes to hacking the kernel. I just gave you that as a possible "close" location. Oh, and that in no way is an indicator of bloat. Maybe you should ask Linus or Alan what needs to be modified.    

[ December 08, 2002: Message edited by: void main ]



Well i dont exactly have a way to talk to them, and if I did they'd probably do a great job at making me look silly and stupid. no i didn't get a chance to look too much into it, i was a bit depressed because in the config of the kernel (it asks a load of questions during compiling) i forgot to support video, lan, and my sound card. so i had to get out pretty fast. i'll look more into it tomorrow... i feel sleep coming soon.

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
hiding processes
« Reply #11 on: 8 December 2002, 13:07 »
quote:
Originally posted by Stryker:
Well i dont exactly have a way to talk to them, and if I did they'd probably do a great job at making me look silly and stupid.


You most certainly do have a way to talk to them. Just subscribe to the kernel mailing lists at www.kernel.org. You wouldn't have to address your question directly to Linus or Alan as there are many more people there that can answer your question but you never know, Linus or Alan just might answer your question. Ya just never know.

As far as all the questions in the kernel configuration I have a couple of RedHat tips for compiling the kernel on my voidmain site I just stuck up. One of the steps is to copy the "config" file from the installed kernel so you automatically have all of the same options turned on.
Someone please remove this account. Thanks...