netstat – lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks https://lifelinux.com All About Linux ! Fri, 30 Dec 2011 02:18:12 +0000 en-US hourly 1 https://wordpress.org/?v=5.5.3 How Do I Find Hidden Processes and Ports ? https://lifelinux.com/how-do-i-find-hidden-processes-and-ports/ https://lifelinux.com/how-do-i-find-hidden-processes-and-ports/#respond Fri, 30 Dec 2011 02:09:03 +0000 http://www.lifelinux.com/?p=1274 Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. Unhide (ps) Detecting hidden processes. Implements six techniques Compare /proc vs /bin/ps output  Compare info gathered from /bin/ps with info gathered by walking thru the procfs. Compare info gathered from /bin/ps with info gathered […]

The post How Do I Find Hidden Processes and Ports ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

]]>

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Unhide (ps)
Detecting hidden processes. Implements six techniques

  • Compare /proc vs /bin/ps output
  •  Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
  • Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
  • Full PIDs space occupation (PIDs bruteforcing)
  • Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
  • Quick compare /proc, procfs walking and syscall vs /bin/ps output.

Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

How do I install unhide

To install Unhide under CentOS/RedHat, login as root and type the following command

# yum install unhide

Sample outputs

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unhide.x86_64 0:0.0.20080519-1.el5.rf set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch          Version                      Repository       Size
================================================================================
Installing:
 unhide        x86_64        0.0.20080519-1.el5.rf        rpmforge        528 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 528 k
Is this ok [y/N]: y
Downloading Packages:
unhide-0.0.20080519-1.el5.rf.x86_64.rpm                  | 528 kB     00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : unhide                                                   1/1

Installed:
  unhide.x86_64 0:0.0.20080519-1.el5.rf

Complete!

How do I use this tool

You can use it as follows:

# unhide proc | sys | brute

Example, type the following command to find hidden proc

# unhide proc
Unhide 20080519
yjesus@security-projects.com
[*]Searching for Hidden processes through /proc scanning

Example, type the following command to find the hidden TCP/UDP ports

# unhide-tcp

Sample outputs

Unhide 20080519
yjesus@security-projects.com
Starting TCP checking
Starting UDP checking

No found hidden ports using the unhide-tcp command.

The post How Do I Find Hidden Processes and Ports ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

]]> https://lifelinux.com/how-do-i-find-hidden-processes-and-ports/feed/ 0