[CentOS] question about unhide / transitory process

Tue May 5 15:40:23 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

Hello,

running unhide ( unhide-20130526-1.el7.x86_64 ) on CentOS 7 i get
sometimes messages like:

Found HIDDEN PID: 30784
	Cmdline: "<none>"
	Executable: "<no link>"
	"<none>  ... maybe a transitory process"

On a second unhide run immediately after it, the process seems to have
vanished. Also, i do not see anything about it in /proc, and rkhunter
and chkrootkit do _not_ detect it.

How can i debug or do some further tests? I want to make sure that this
is a false positive and not a rootkit.


Thanky a lot in advance, ulrich