|
if we have one application for long time, how can we hide the process? avoid to be seen by 'ps aux '
Depends on what you can get access to. You could shred the binary while it's running (though that's not hiding, strictly speaking), you could hide it in plain sight changing argv[0] to read something already running like "httpd", or you could modify the syscall table or change system_call directly. Mind you, LQ is rather more "white hat" (if that still means anything to anyone) than "black hat". Strictly speaking any more "HOWTO" questions are not welcome. If you need more info you should do some research and go to another board for stuff like that.
how to discovery any potential hiding process in linux server?
Depends on how the box is hardened and what audit trails are in place/remain. Next to looking for "secondary evidence" from system and daemon logs, anomalies like setuid root binaries in accessable temp dirs you could have checking preloaded, compare syscall table, brute-force sigs, getdents comparison, execution analysis. I probably forgot some.
|
