Comments on: Quick way to find out if you “ps” has been compromised

By: Computing Tips

Computing Tips — Tue, 23 Jun 2009 12:53:25 +0000

I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work. Look forward to reading more from you in the future.

By: Andre

Andre — Mon, 27 Oct 2008 20:19:35 +0000

Did you really tried out the command?

ps outpus a header, which give us one more line.

My suggestion would be:

# ls -d /proc/[0-9]* | wc -l; ps -A h | wc -l

My results:
108
108

By: Frederico Boaventura

Frederico Boaventura — Mon, 27 Oct 2008 19:39:40 +0000

If you use linux colors, try changing the ls command to:

ls –color=none -d /proc/* | grep “[0-9]” | wc-l; ps aux |wc -l

This should fix the difference between the two commands.

By: andrelop

andrelop — Sun, 05 Oct 2008 19:32:32 +0000

@Patricia

Don’t be afraid Just try to find out what’s the culprit. Check my previous answers above and try to get more into details as to why your system is giving you these outputs.

And, as said numerous times before (you guys should read a “maybe” as a “maybe”, not as a “surely it’s like I wrote, no doubt about that”), it could be that it was just a false positive.

There’s no way for me to know what sort of things you guys are running on your systems (operating systems, kernels, softwares, versions, patches, etc) so, I for one would assume that I’m the only who knows more about my specific system/setup than a random Don Joe at the IntarWebs out there

Regards,

By: andrelop

andrelop — Sun, 05 Oct 2008 19:25:38 +0000

@Frederico

Well, the command line, exactly as I published it, worked fine on a lot of my personal systems, all of them based on Debian unstable (Linux kernel 2.6.26).

I don’t know if you’re using Debian or even Linux, but as virtually 100% of my readers are aware that I’m a Debian user myself, they should be advised that the command line runs fine on such a system.

BTW, the proposed command line you gave in your comment doesn’t work on any of my Debian unstable systems at all.

First, you have a “wc-l” when it should be “wc -l”. You are lacking a space after the “c” and before the minus signal.

But even fixing this, I still get the following :

andrelop@foolish:~$ ls -d1 /proc/* | grep “[0-9]” | wc -l; ps aux |wc -l
0
125
andrelop@foolish:~$

So, I think my original command line, when executed on a standard Debian unstable system as pointed previsouly, works fine.

Regards,

By: andrelop

andrelop — Sun, 05 Oct 2008 19:19:46 +0000

@dudus

As I said previously, this “may” mean your “ps” is compromised. It’s not a clear and indisputable sign that it is really compromised.

I’m not going to tell anyone that one should trust only this small trick to slap a “compromised” stick in one’s system.

You should try to find out which differences you have in these two outputs checking more closely at your /proc and comparing it to your “ps” output to try and find suspicious signs.

Also, checking your “ps” binary mdsum/sha1sum against a know good binary is surely a good thing to do.

By: Patricia

Patricia — Wed, 01 Oct 2008 00:50:38 +0000

I’m afraid… :/

By: Frederico

Frederico — Mon, 29 Sep 2008 13:29:32 +0000

There’s something wrong with this command.
I tried it and it game me completely strange results, then I debugged it to:

ls -d1 /proc/* | grep “[0-9]” | wc-l; ps aux |wc -l

This should be correct, ‘grep’ has to have quotes and ‘ls’ default is to show more than one command per line.

By: dudus

dudus — Mon, 29 Sep 2008 03:06:59 +0000

dudus@dudus-desktop:~$ ls -d /proc/* | grep [0-9] | wc -l ; ps aux | wc -l
185
133

Should I be worried? What do I do to fix that?