top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Creating a process without listing in ps -aux

0 votes
366 views

I would like to know how the process can be hijacked, means creating a process without listing in ps -aux command.

posted May 14, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button
Sorry, I can't help you here. But I'm curious - for what use case (except a rootkit) would that feature be helpful?

4 Answers

+1 vote

On Linux I believe all the process management tools use the information
in the /proc filesystem to show process information. You can think of
ps, top, etc as just convenient front-ends to /proc. The "proc"
filesystem is itself just a view into the kernel process table and other
kernel tables. Given this, you would have to hack the kernel code to
create an "invisible" process.

answer May 14, 2013 by anonymous
+1 vote

You could name your process something that looks like a common process, like /bin/dash, looks like /bin/bash. Mixed in lots of process it becomes hard to see just one different letter.

answer May 14, 2013 by anonymous
0 votes

On Linux I believe all the process management tools use the information
in the /proc filesystem to show process information. You can think of
ps, top, etc as just convenient front-ends to /proc. The "proc"
filesystem is itself just a view into the kernel process table and other
kernel tables. Given this, you would have to hack the kernel code to
create an "invisible" process.

answer May 14, 2013 by anonymous
0 votes

Essentially, you'll need to modify the kernel. The 'usual' way is to
load a module which modifies how the kernel populates /proc/pid such
that when things (top, ps etc.) read that data they don't get the
entry relating to your hidden process.

answer May 14, 2013 by anonymous
Similar Questions
+1 vote

I am running below script on sles 11 and getting different output.

#!/bin/bash
PID=$(/bin/ps aux | grep sro-rest | grep -v grep | awk '{print $2}')
echo "PID = $PID"
. /etc/rc.status
PID=$(/bin/ps aux | grep sro-rest | grep -v grep | awk '{print $2}')
echo "PID = $PID"

Output:

PID = 2453
PID =

After debugging, I get to know that once we run . /etc/rc.status then output of ps aux is getting short.
See below script for example,

#!/bin/bash
echo "Before ==================================> "
/bin/ps aux | grep java | grep -v grep
. /etc/rc.status
echo "After ==================================> "
/bin/ps aux | grep java | grep -v grep

Output :

Before ==================================>
root      2453  4.9  7.8 8496196 615020 ?      Sl   Jun05  60:31 /usr/java/jre1.8.0_77//bin/java -Djava.net.preferIPv4Stack=true -Djava.library.path=/opt/sro/lib -Dserver.port=50000 -Dspring.profiles.active=gal -jar /opt/sro/ui/lib/sro-rest-SNAPSHOT.jar
After ==================================>
root      2453  4.9  7.8 8496196 615020 ?      Sl   Jun05  60:31 /usr/java/jre1.8.0_77//bin/java -Djava.net.preferIPv4Stack=true -Djava.l

Can anyone explain why different behavior for the same command?

+2 votes

In the ps results few of the processes are having process state as "D" . What does it mean ? Briefly explain different process states ?

0 votes

I am wondering how - or more exactly where - umask is defined on a stock Ubuntu server system.

I have reactivated the root account. Here's the respective default umask for root and normal users:

Nomal User:

$ umask
0002

Root User

$ umask
0022

On RHEL/CentOS, these values are defined in /etc/bashrc and then in the individual ~/.bashrc files. How does Ubuntu handle this?

0 votes

I'd like to install a master on a virtual machine and rsync this installation to ten clients (desktop installation for a library). Also, all changes after the initial installation to this master image should be replicated to them.

There are some modifications for the master installation necessary. It must not use UUIDs for example.

Is there a ready-to-use script for this scenario?

Thank you in advance.

0 votes

I have an existing system which contains a LAN connected disk drive. I have added a new computer on which I installed Ubuntu (this is my first linux experience). From the Ubuntu computer I can read the files on the samba connected drive but I can not write to those files. I have tried to change the permissions but can not locate where the drive is mounted. So my question ishow do I change the permissions?

...