
Ask HN: Scan `ps ax` for malware - the_cat_kittles
is there a service that you can submit output of ps ax to, to look for suspicious processes?
======
pki
Is it not trivial to simply change the process name, one or two lines at most
in code? I'm trying to think about the logistics of running something like
this and unless the process name is something like ./sshbruteforce 293849 ..

~~~
kspaans
You would probably be better off will an artificial-ignorance[0] kind of
approach where you frequently measure what's running on your computer in order
to establish a baseline, and after that compare against the baseline to look
for outliers in terms of memory/cpu usage. You will also want to use other
tools to look at network and filesystem usage.

0 -
[http://www.ranum.com/security/computer_security/papers/ai/](http://www.ranum.com/security/computer_security/papers/ai/)

~~~
umaguma
The post from 1997 assumes /var/log is not vulnerable tampering; assumes that
the syslogd or access to the socket or port it's writing to is not vulnerable
to compromise; and assumes that all signifcant programs write to a log.

The world is much more familiar with UNIX in 2015; I trust that today no one
would rely on /var/log.

My approach would be to look at periodic memory dumps and look for anomalies
there.

And not to rely on the integrity of utilities stored the system that you are
analyzing.

