How Do I Find Hidden Processes and Ports ?

by lifeLinux on December 30, 2011

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Unhide (ps)
Detecting hidden processes. Implements six techniques

  • Compare /proc vs /bin/ps output
  • ┬áCompare info gathered from /bin/ps with info gathered by walking thru the procfs.
  • Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
  • Full PIDs space occupation (PIDs bruteforcing)
  • Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
  • Quick compare /proc, procfs walking and syscall vs /bin/ps output.

Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

How do I install unhide

To install Unhide under CentOS/RedHat, login as root and type the following command

# yum install unhide

Sample outputs

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unhide.x86_64 0:0.0.20080519-1.el5.rf set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch          Version                      Repository       Size
================================================================================
Installing:
 unhide        x86_64        0.0.20080519-1.el5.rf        rpmforge        528 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 528 k
Is this ok [y/N]: y
Downloading Packages:
unhide-0.0.20080519-1.el5.rf.x86_64.rpm                  | 528 kB     00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : unhide                                                   1/1

Installed:
  unhide.x86_64 0:0.0.20080519-1.el5.rf

Complete!

How do I use this tool

You can use it as follows:

# unhide proc | sys | brute

Example, type the following command to find hidden proc

# unhide proc
Unhide 20080519
yjesus@security-projects.com
[*]Searching for Hidden processes through /proc scanning

Example, type the following command to find the hidden TCP/UDP ports

# unhide-tcp

Sample outputs

Unhide 20080519
yjesus@security-projects.com
Starting TCP checking
Starting UDP checking

No found hidden ports using the unhide-tcp command.

Related Posts:

Previous post:

Next post: