hiding processes

Operating Systems > Linux and UNIX

hiding processes

(1/3) > >>

Stryker:
My friend's web host runs linux (not sure which version) and they have it set up so that when you do ps, ps aux, or anything with commands that list processes, you can only view your own. I'm running redhat 7.3, is there any way i can set up something like this?

voidmain:
I've seen root kits that contain hacked "ps" and "top" commands so as to hide the skript kiddie processes. But hacking the commands are the only way I know of doing it with the stock Linux kernel. Maybe the SELinux kernel has this functionality...

Maybe they renamed the commands to something else and then wrote a script to grep out only the $LOGNAME processes (/bin/ps2 aux | grep "^$LOGNAME"). But that would be a pretty stupid way to do it.

Or maybe they've been 0wn3d and have a root kit installed.

[ December 07, 2002: Message edited by: void main ]

Stryker:
well i heard there was a way by changing some permissions in /proc but i didn't find any details anywhere. i've played around in there with little sucess.

voidmain:

quote:Originally posted by Stryker:
well i heard there was a way by changing some permissions in /proc but i didn't find any details anywhere. i've played around in there with little sucess.
--- End quote ---

To be honest that is the first thing I thought of because I thought I had heard similar things way back when, but after searching I believed my memory was wrong. Then I thought I remembered something about setting the /lib/libproc* library to certain permissions and I think my memory was wrong on that as well. There is a system wide /etc/toprc where you can restrict top but it doesn't prevent you from looking at other peoples processes. Why don't you ask them? Now you've got me interested. My guess is a special hacked version of the procps tools.

Or the kernel was hacked so process directories were r-xr-x--- instead of r-xr-xr-x like they are by default under /proc.

[ December 07, 2002: Message edited by: void main ]

Stryker:
well i saw it on a forum a long time ago. and the forum was dated 2 years before i saw it. asking wouldn't do much good. i'm thinking i'll probably take a look at the kernel's source code and see what goodies are in there. my first real attempt at reprogramming part of the kernel... (i'll probably brake it)

Navigation

[0] Message Index

[#] Next page

Go to full version