Finding hidden processes with unhide
Working with Results
When running unhide
, remember that the command is not always definitive. When you get positive results, you should confirm them by rerunning tests and running additional ones, as well as using some of the command options. Take notice, too, of the tentative diagnosis in the test, and check for an increase in traffic on the system. You may be able to identify the PID by a search if it is a legitimate one.
If you conclude that a machine has been cracked, isolate it immediately. Do not attempt to examine possible intrusions directly from the machine, because you will not get reliable results and only waste your time. Instead, boot from a Live DVD to examine the compromised machine. Unfortunately, this is likely to be a slow process, involving long research sessions online. In the end, the fastest way to recover is to reinstall a recent backup. In the end, unhide
is an alert, not a solution – although an analysis of one compromised machine might help you prepare a new machine more rigorously.
Infos
« Previous 1 2
Buy this article as PDF
(incl. VAT)