Find Hidden Processes and Ports - Linux / Unix / Windows

Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]

by Vivek Gite on November 24, 2011 · 9 comments

Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

1. The proc technique consists of comparing /proc with the output of /bin/ps.
2. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.

Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits.

How do I Install Unhide?

It is recommended that you run this tool from read-only media. To install the same under Debian or Ubuntu Linux, enter:
# apt-get install unhide
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
rkhunter
The following NEW packages will be installed:
unhide
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 822 kB of archives.
After this operation, 1,872 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ squeeze/main unhide amd64 20100201-1 [822 kB]
Fetched 822 kB in 5s (162 kB/s)
Selecting previously deselected package unhide.
(Reading database ... 166644 files and directories currently installed.)
Unpacking unhide (from .../unhide_20100201-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unhide (20100201-1) ...

FreeBSD: Install unhide

Type the following command to install the same using the port, enter:
# cd /usr/ports/security/unhide/
# make install clean
OR, you can install the same using the binary package, enter:
# pkg_add -r unhide
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.

How Do I Use This Tool?

You can use it as follows:
# unhide-posix proc
# unhide-posix sys
OR
# unhide-linux26 proc
# unhide-linux26 sys
# unhide-linux26 brute
Sample outputs:

Unhide 20100201
http://www.security-projects.com/?Unhide
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through  comparison of results of system calls
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1

# unhide-tcp
Sample outputs:

Unhide 20100201
http://www.security-projects.com/?Unhide
Starting TCP checking
Starting UDP checking

However, I found something interesting:
# unhide-tcp
Sample outputs:

Unhide 20100201
http://www.security-projects.com/?Unhide
Starting TCP checking
Found Hidden port that not appears in netstat: 1048
Found Hidden port that not appears in netstat: 1049
Found Hidden port that not appears in netstat: 1050
Starting UDP checking

The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:
# netstat -tulpn | grep 1048
# ss -lp
# ss -l | grep 1048

See also:

1. Unhide project.

Featured Articles:

• 20 Linux System Monitoring Tools Every SysAdmin Should Know
• 20 Linux Server Hardening Security Tips
• My 10 UNIX Command Line Mistakes
• The Novice Guide To Buying A Linux Laptop
• 10 Greatest Open Source Software Of 2009
• Top 5 Email Client For Linux, Mac OS X, and Windows Users
• Top 20 OpenSSH Server Best Security Practices
• Top 10 Open Source Web-Based Project Management Software
• Top 5 Linux Video Editor Software

Culled from nixCraft

Daybreak Afrika Technologies Facebook Fan Update

Cool Websites

Cool Websites and ToolsCheck out some of the latest MakeUseOf discoveries. Most of the listed websites are FREE or come with a decent free account option. If you want to have similar cool website round-ups delivered to your daily email

PowerInbox – Facebook users usually get an email from the social network each time they receive a wall post, comment, or any other type of notification. To view this notification you have to click on a link in the email that opens in a new tab. Here to save you from those extra click and new browser tabs is a web service called PowerInbox. Read more: PowerInbox: Use Social Networks From Email

		Smozzy – One of the major reasons people purchase smartphones is to browse the Internet. But increasing costs of data plans that phone carriers charge discourage smartphone owners from Internet browsing. Here to offer a workaround is an Android app called Smozzy. Instead of making you browse directly through your phone’s browser, the app lets you send your URL to it as an SMS. Read more: Smozzy: Browse The Web Without The Data Plan [Android 2.1+]
		Dropboxdiff – TextDiff programs let you compare texts and resolve any conflicts between them. They are most helpful while comparing and resolving multiple versions of the same file. In case your file versions are stored on your Dropbox account, you would normally first need to download them and then send them to your textDiff program. But an extension called Dropboxdiff does this for you in a single step. Read more: Dropboxdiff: Easily Compare File Versions On Dropbox

Culled from Make Use Of

Ensemble gets some juju!

The project with working title Ensemble, will make its first release under the name juju as part of Ubuntu 11.10’s Universe collection of packages. We will have a series of planned 11.10 Stable Release Updates for juju throughout the push to 12.04 LTS, which will mark the first enterprise release of the product.
Juju is the word for “magic” in the same African languages from which the term Ubuntu comes. Formulas will become charms (such magic is conducted with charms) and Principia will become the Charm Collection.

Why the name change?

While we liked the sophistication and refinement that went along with the name “Ensemble”, we were struggling to find a cohesive link between the tool itself, “formulas” for deployment, and “Principia” (the shared collection of formulas we want to grow a community around). All three were great names by themselves, but when combined didn’t connect well as a whole. First we considered going for a more music focused theme, with formulas becoming “collaborations” “chords” or “sheets” for example. However, given there’s already the Ubuntu Orchestra project, we felt like we might be taking the music theme too far, plus we were already having confusion around the two because of the name similarities. So we decided to go with something that had a bit of excitement and “punch” to it, that could also represent the same fun we’ve found folks having when using our project. We figured it should represent the complexities and mystery that often surround those skilled in the DevOps field, and be something that played on the same “u” sound and etymology as Ubuntu. Thus, “juju” was born!

When will the change happen?

Immediately! We’ve already created juju.ubuntu.com, with a redirect from ensemble.ubuntu.com in place. We also have the irc channel #juju reserved on freenode, and will soon rename the mailing list to juju@lists.ubuntu.com. Over the next week, we’ll update documentation, the associated Launchpad projects and teams, the code itself, and update the packages in Oneiric. Everything will be done and ready for testing in the Ubuntu 11.10 Beta 2 release. We’ll follow that up with updating the charms and will make new cloud.ubuntu.com related screencasts where feasible. For the record nothing else is changing, but the naming…the code and formulas will behave the same.
If you run into any problems or having any questions, please send them to me or post to ensemble@lists.ubuntu.com.
Thanks!
—
Robbie Williamson <robbie@ubuntu.com>
On behalf of the juju development team

Culled from Ubuntu Cloud Portal