Copy pasted from http://ubuntuforums.org/archive/index.php/t-796192.html for
personal archive
If the processes are truly hidden, then yes it's probably something you
should worry about. But it's possible that you've got a false positive
situation.
When rkhunter tells you that there are hidden processes, try to cd to the
/proc/<pid> directory for the process (where <pid> is one of the
process ID numbers output by rkhunter). If you can't cd into the directory,
then the process isn't really hidden, it was just in the middle of exiting when
the rkhunter check ran and rkhunter was confused and you probably have nothing
to worry about.
If you do manage to cd into the /proc/<pid> directory, then it's
likely you have a problem. Interesting things to do once you're in the
/proc/<pid> directory include:
1) "cat cmdline" should give you the name the process is running under
2) "sudo cat environ | perl -pe 's/\000/\n/g'" gets you the environment
variable settings for the process
3) "sudo ls -l fd" shows you what files the process currently has open
4) "sudo ls -l cwd" shows you the current working directory of the process
(which could be interesting if the process was started by the attacker from
their rootkit installation directory)
There's plenty of other cool stuff you can do with the various bits of
information under /proc, but the above should be enough to help you figure out
what the process(es) are doing and how much trouble you're in.