Adam,

thanks more! I was only dimly aware of the 'lsof' command.

unfortunately:

% unhide sys

Unhide 20080519

does not report the pid numbers, nor does the man page indicate a command line 'verbose' switch, nor does the unhide command generate a telltale /var/log summary:

% ls /var/log/*hi*.

ls: No such file or directory.

and the 'lsof -p' command requires a pid argument.

I am unfortunately in no position to write code to amend this state of affairs.

Cheers,

Max

From: Adam Spiers <bitfolk@adamspiers.org>
To: Max B <txtmax@yahoo.ca>
Cc: users@lists.bitfolk.com
Sent: Thu, December 16, 2010 11:58:34 AM
Subject: Re: [bitfolk] Exim remote root exploit

On 16 December 2010 11:56, Max B <txtmax@yahoo.ca> wrote:
> I ran 'unhide sys' five times with odd results: reports of two, one, two,
> zero and one 'HIDDEN PROCESSES found', which leads me to wonder whether
> 'unhide' reports mismatches but does not account well for the unix scheduler
> and the finite nature of time division. (A process might be declared by
> unhide as 'hidden' when, in between of two lines of 'unhide' code, the
> scheduler terminates a process.) The 'unhide' man page is written at too
> high a level for this reader. What does one do next in this case??

Try running lsof -p on the hidden process ids.