FS#32295 - [unhide] false positive
Attached to Project:
Community Packages
Opened by Tod Jackson (shirokuro) - Tuesday, 30 October 2012, 12:34 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 03 November 2012, 21:28 GMT
Opened by Tod Jackson (shirokuro) - Tuesday, 30 October 2012, 12:34 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 03 November 2012, 21:28 GMT
|
Details
Description:
I ran unhide on my Arch Linux host today as root and consistently receive this message with unhide -m sys: WARNING: info.procs changed during test : 64 (was 63) WARNING: info.procs changed during test : 63 (was 64) 63 and 64 could be any other PID (I assume it's refering to PIDs...) I've seen 128, 129, etc. To see what was going on I booted from a fresh usb Arch dual iso, updated the repository, and installed unhide from pacman. I got the same results. I still wasn't convinced though so I loaded a re-downloaded iso into Virtualbox (Arch host and guest) and got the same results. This is probably an upstream bug but I thought I would bring it to someone's attention since Google didn't yield many results. Additional info: * package version(s) I tried with my host installation I've been using for a few weeks, up to date with pacman -Syu, as well as freshly-downloaded ISOs, unupgraded. archlinux-2012.10.06-dualiso.iso * config and/or log files etc. rkhunter finds no rootkits, and chkrootkit thinks /sbin/init is infected due to another bug... but that's been confirmed, so no need to elaborate. Steps to reproduce: 1. Boot up the latest iso however you wish. 2. use wifi-menu to connect (in my case it was WPA) 3. install unhide from pacman after updating the repositories 4. unhide -m sys as root |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Saturday, 03 November 2012, 21:28 GMT
Reason for closing: Not a bug
Additional comments about closing: False positive, not a bug.
Saturday, 03 November 2012, 21:28 GMT
Reason for closing: Not a bug
Additional comments about closing: False positive, not a bug.
Unhide 20110113
http://www.unhide-forensics.info
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through sysinfo() scanning
WARNING : info.procs changed during test : 205 (was 204)
WARNING : info.procs changed during test : 204 (was 205)