IT Tutorial
How to Find a Hidden Process and Port in Linux Operating System
There are a lot of tools that can be used to check the hidden process and port; the tools are rootkits, lkms, unhide etc. In this tutorial a tool name as UNHIDE will be used for this purpose.
Unhide is basically used to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems.
It detects hidden processes by using three techniques:
- The proc technique consists of comparing /proc with the output of /bin/ps.
The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls. - The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.
- Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits.
Install UNHIDE
If you are using ubuntu / debian linux you can enter this command below:
#apt-get install unhide
If you are using FreeBSD / unix you can install it using this command below :
#cd /usr/ports/security/unhide #make install clean
How to use UNHIDE
unhide-tcp is a tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.
You can use it as follows:
# unhide-posix proc # unhide-posix sys OR # unhide-linux26 proc # unhide-linux26 sys # unhide-linux26 brute
Sample outputs:
Unhide 20100201 http://www.security-projects.com/?Unhide [*]Searching for Hidden processes through kill(..,0) scanning [*]Searching for Hidden processes through comparison of results of system calls [*]Searching for Hidden processes through getpriority() scanning [*]Searching for Hidden processes through getpgid() scanning [*]Searching for Hidden processes through getsid() scanning [*]Searching for Hidden processes through sched_getaffinity() scanning [*]Searching for Hidden processes through sched_getparam() scanning [*]Searching for Hidden processes through sched_getscheduler() scanning [*]Searching for Hidden processes through sched_rr_get_interval() scanning [*]Searching for Hidden processes through sysinfo() scanning HIDDEN Processes Found: 1
If you found something interesting:
# unhide-tcp
Sample outputs:
Unhide 20100201 http://www.security-projects.com/?Unhide Starting TCP checking Found Hidden port that not appears in netstat: 1048 Found Hidden port that not appears in netstat: 1049 Found Hidden port that not appears in netstat: 1050 Starting UDP checking
The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:
# netstat -tulpn | grep 1048 # ss -lp # ss -l | grep 1048
This entry was posted by faisal on January 7, 2012 at January 7, 2012, and is filed under Ubuntu. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.
