Fresh Parrot Installs Shows Hidden Processes with Unhide

Gemini88 · July 14, 2021, 10:40am

On a fresh Parrot install I ran unhide and it showed multiple hidden processes for brute force against PIDS with fork and brute force against PIDS with pthread functions. Most of the process IDs are 6 or 7 character lengths. Is this possibly a false positive?

Parrot Sec 4.10 burned with dd.

UNHIDE OUTPUT:
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

unhide-linux scan starting at: 10:40:46, 2021-07-09
Used options: verbose logtofile
[*]Searching for Hidden processes through /proc stat scanning

[*]Searching for Hidden processes through /proc chdir scanning

[*]Searching for Hidden processes through /proc opendir scanning

[*]Searching for Hidden thread through /proc/pid/task readdir scanning

[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval() scanning

[*]Searching for Hidden processes through kill(…,0) scanning

[*]Searching for Hidden processes through comparison of results of system calls

[*]Starting scanning using brute force against PIDS with fork()

Found HIDDEN PID: 296822
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 669551
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1042320
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1413966
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1499720
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1552997
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1552998
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1785550
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 2158577
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 2530568
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 2903140
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3275022
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3647418
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3726256
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 4020587
Cmdline: “”
Executable: “”
" … maybe a transitory process"
[*]Starting scanning using brute force against PIDS with pthread functions

Found HIDDEN PID: 380972
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 758638
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 863552
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 863557
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 863754
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1134718
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1491582
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1512525
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1586343
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 1903527
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 2294718
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 2685953
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3077595
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3467944
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3858466
Cmdline: “”
Executable: “”
" … maybe a transitory process"
Found HIDDEN PID: 3924603
Cmdline: “”
Executable: “”
" … maybe a transitory process"
[*]Searching for Fake processes by verifying that all threads seen by ps are also seen by others

[*]Searching for Hidden processes through comparison of results of system calls, proc, dir and ps

unhide-linux scan ending at: 10:47:18, 2021-07-09

aum · July 28, 2021, 5:51pm

Did you uninstall? What happened?

Gemini88 · July 29, 2021, 2:43am

No I didn’t uninstall. Still investgating the issue. I found an article that suggested running unhide brute -d, which is supposed to reduce potential false positives, and if I run it with the -d option it returns no results.

But I find it strange that a brand new install, with no applications running other than one terminal, would produce so many false positives for transitory processes.

I would be interested to know if anyone else gets the same results with unhide.

system · November 26, 2021, 2:43am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.