Unhide – The opensource forensic tool
Sponsored Link
Unhide features
// Unhide (ps)
Detecting hidden processes. Implements six techniques
Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space occupation (PIDs bruteforcing)
Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
Quick compare /proc, procfs walking and syscall vs /bin/ps output.
// Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
Install unhide in ubuntu
Open the terminal and run the following command
sudo apt-get install unhide
Using unhide command
Using the unhide tool can be done by typing in the following command from your terminal
sudo unhide-posix proc
sudo unhide-posix sys
Or, if you are on a Linux 2.6 kernel system run the following commands from your terminal
sudo unhide-linux26proc
sudo unhide-linux26 sys
sudo unhide-linux26 brute
The unhide tool will begin to scan the kernel in every directory looking for any hidden processes. Each directory will be listed as the tool scans. If processes are found, you will be given a message:
HIDDEN Processes Found: (#)
The # will display how many processes were found on the system. If no hidden processes were found, the output will read, No hidden processes found.
The unhide tool can also help you find hidden ports that you would normally not find in the netstat. You can locate these by typing in:
sudo unhide-tcp
I don’t want to sound ungrateful, but in which way would after using that command I am more confused than before. Using it turned up a lot of (seemingly) “good” processes plus some that give next to no clue about their true nature, so of what use is that command exactly?
Hi Stephan, as author of Unhide, I will try to explain what Unhide is
and what is for.
Unhide is a forensic tool designed to find traces of rootkit presence
which can be hidding processes or network sockets.
Unhide validates the information gathered via /bin/ps. It shows you if
these informations are good or have been manipulated. It takes
information from /bin/ps and tries to find the same results using
other ways like system calls or digging in /proc/
Unhide-tcp does the same with netstat command comparing against bind()
function results.
If you have many results, probably you are getting false positives, as
it is possible in some circunstances. This could happen for example,
if in your system exist a short execution time process in that moment.
Send me an email with your details and I will try to investigate the
issue.
Regards,
Stephan, run it muliple times. If the same process number(s) keep turning up, you have a problem. If they don’t, the processes flagged a most likely legitimate ones that simply terminated before unhide was able process them.
Odds will be real high that ‘unhide-tcp’ will turn up hidden control ports for the malware infesting your system.
I keep running unhide and getting this result. It will not show me a pid am I missing something. I would think I was paranoid but I was the recent victim of a databreach. Any help you could give me would be appreciated.
brian@ubuntu:~$ sudo unhide sys
[sudo] password for brian:
Unhide 20110113
http://www.unhide-forensics.info
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1 sysinfo.procs = 369 ps_count = 371
There are a bug in some kernels (aparently, from Debian / Ubuntu) that shows a false positive in sysinfo test, try with -r that fix this bug.
So, if you only have this, probably there is not something to worry (at least hidden pids)
I get the same result on my Linux Mint Debian Edition system. The -r switch does not change my results. Should I worry about a malware?
user@tebhi ~/Desktop $ sudo unhide-linux26 sys -r
Unhide 20110113
http://www.unhide-forensics.info
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1 sysinfo.procs = 461 ps_count = 463