listp is a perl script which will poll the /proc directory and check for new, unknown processes.  It checks the binary(md5 sum) and command line of each process to determine if a new process that is unknown is running.

The latest version uses opendir/readdir to reduce processing time and can now poll every 5 seconds, with full checks every 30.  This reduces the window an attacker has to run unknown executables whils still keeping the performance hit low.  An alert box will prompt to add the process to the trusted list, kill the process, or ignore for 1 cycle(default of 30 seconds).  listp offers users an ability to monitor processes that run on their linux systems.  While not a full proof security solution, it offers more insight into what is running on your system, and potentially unwanted applications which can be spawned from tainted websites, emails, etc..  Detection of these processes assumes that an intruder will not have immediate root access and be able to install a rootkit to hide their processes.  MD5 is used to verify the applications are valid and not just overwritten by an intruder.

listp also has a learning mode for the first time it is run to build the trusted list(avoid tons of prompts).  To use this mode simply use the -l switch in addition to the -u switch.  Just remember, you won't be alerted when running in this mode.

Requirements:

- Perl

- MD5 module for Perl

- kdialog (KDE component) for alerting

Installation:

- Copy listp.pl to a safe directory

- Create an empty file called listp.db in that directory and lock down permissions so only root can read/write to it

- Run listp.pl as root with (-u YourUserName)