Nytro Posted November 25, 2011 Report Posted November 25, 2011 Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]by VIVEK GITE on NOVEMBER 24, 2011Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:It detects hidden processes using three techniques:The proc technique consists of comparing /proc with the output of /bin/ps.The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits.How do I Install Unhide?It is recommended that you run this tool from read-only media. To install the same under Debian or Ubuntu Linux, enter:# apt-get install unhideSample outputs:Reading package lists... DoneBuilding dependency treeReading state information... DoneSuggested packages: rkhunterThe following NEW packages will be installed: unhide0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.Need to get 822 kB of archives.After this operation, 1,872 kB of additional disk space will be used.Get:1 http://ftp.us.debian.org/debian/ squeeze/main unhide amd64 20100201-1 [822 kB]Fetched 822 kB in 5s (162 kB/s)Selecting previously deselected package unhide.(Reading database ... 166644 files and directories currently installed.)Unpacking unhide (from .../unhide_20100201-1_amd64.deb) ...Processing triggers for man-db ...Setting up unhide (20100201-1) ...FreeBSD: Install unhideType the following command to install the same using the port, enter:# cd /usr/ports/security/unhide/# make install cleanOR, you can install the same using the binary package, enter:# pkg_add -r unhideunhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.How Do I Use This Tool?You can use it as follows:# unhide-posix proc# unhide-posix sysOR# unhide-linux26 proc# unhide-linux26 sys# unhide-linux26 bruteSample outputs:Unhide 20100201http://www.security-projects.com/?Unhide[*]Searching for Hidden processes through kill(..,0) scanning[*]Searching for Hidden processes through comparison of results of system calls[*]Searching for Hidden processes through getpriority() scanning[*]Searching for Hidden processes through getpgid() scanning[*]Searching for Hidden processes through getsid() scanning[*]Searching for Hidden processes through sched_getaffinity() scanning[*]Searching for Hidden processes through sched_getparam() scanning[*]Searching for Hidden processes through sched_getscheduler() scanning[*]Searching for Hidden processes through sched_rr_get_interval() scanning[*]Searching for Hidden processes through sysinfo() scanningHIDDEN Processes Found: 1(Fig.01: 1 hidden process found using the unhide-linux26 sys command)# unhide-tcpSample outputs:Unhide 20100201http://www.security-projects.com/?UnhideStarting TCP checkingStarting UDP checkingHowever, I found something interesting:# unhide-tcpSample outputs:Unhide 20100201http://www.security-projects.com/?UnhideStarting TCP checkingFound Hidden port that not appears in netstat: 1048Found Hidden port that not appears in netstat: 1049Found Hidden port that not appears in netstat: 1050Starting UDP checkingThe netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:# netstat -tulpn | grep 1048# ss -lp# ss -l | grep 1048See also:Unhide project.Sursa: Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ] Quote
aelius Posted November 25, 2011 Report Posted November 25, 2011 Bun post, Se mai poate folosi si lsof sau sockstat in loc de netsat Quote
