Unhide – The opensource forensic tool

Sponsored Link
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

Unhide features

// Unhide (ps)

Detecting hidden processes. Implements six techniques

Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space occupation (PIDs bruteforcing)
Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
Quick compare /proc, procfs walking and syscall vs /bin/ps output.

// Unhide-TCP

Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

Install unhide in ubuntu

Open the terminal and run the following command

sudo apt-get install unhide

Using unhide command

Using the unhide tool can be done by typing in the following command from your terminal

sudo unhide-posix proc
sudo unhide-posix sys

Or, if you are on a Linux 2.6 kernel system run the following commands from your terminal

sudo unhide-linux26proc
sudo unhide-linux26 sys
sudo unhide-linux26 brute

The unhide tool will begin to scan the kernel in every directory looking for any hidden processes. Each directory will be listed as the tool scans. If processes are found, you will be given a message:

HIDDEN Processes Found: (#)

The # will display how many processes were found on the system. If no hidden processes were found, the output will read, No hidden processes found.

The unhide tool can also help you find hidden ports that you would normally not find in the netstat. You can locate these by typing in:

sudo unhide-tcp

Sponsored Link

Incoming search terms:

Related posts

6 thoughts on “Unhide – The opensource forensic tool

  1. I don’t want to sound ungrateful, but in which way would after using that command I am more confused than before. Using it turned up a lot of (seemingly) “good” processes plus some that give next to no clue about their true nature, so of what use is that command exactly?

    [Reply]

  2. Hi Stephan, as author of Unhide, I will try to explain what Unhide is
    and what is for.

    Unhide is a forensic tool designed to find traces of rootkit presence
    which can be hidding processes or network sockets.

    Unhide validates the information gathered via /bin/ps. It shows you if
    these informations are good or have been manipulated. It takes
    information from /bin/ps and tries to find the same results using
    other ways like system calls or digging in /proc/

    Unhide-tcp does the same with netstat command comparing against bind()
    function results.

    If you have many results, probably you are getting false positives, as
    it is possible in some circunstances. This could happen for example,
    if in your system exist a short execution time process in that moment.

    Send me an email with your details and I will try to investigate the
    issue.

    Regards,

    [Reply]

    Brian B Reply:

    I keep running unhide and getting this result. It will not show me a pid am I missing something. I would think I was paranoid but I was the recent victim of a databreach. Any help you could give me would be appreciated.

    brian@ubuntu:~$ sudo unhide sys
    [sudo] password for brian:
    Unhide 20110113
    http://www.unhide-forensics.info
    [*]Searching for Hidden processes through getpriority() scanning

    [*]Searching for Hidden processes through getpgid() scanning

    [*]Searching for Hidden processes through getsid() scanning

    [*]Searching for Hidden processes through sched_getaffinity() scanning

    [*]Searching for Hidden processes through sched_getparam() scanning

    [*]Searching for Hidden processes through sched_getscheduler() scanning

    [*]Searching for Hidden processes through sched_rr_get_interval() scanning

    [*]Searching for Hidden processes through kill(..,0) scanning

    [*]Searching for Hidden processes through comparison of results of system calls

    [*]Searching for Hidden processes through sysinfo() scanning

    HIDDEN Processes Found: 1 sysinfo.procs = 369 ps_count = 371

    [Reply]

    Yago Jesus Reply:

    There are a bug in some kernels (aparently, from Debian / Ubuntu) that shows a false positive in sysinfo test, try with -r that fix this bug.

    So, if you only have this, probably there is not something to worry (at least hidden pids)

    [Reply]

    J.G. Reply:

    I get the same result on my Linux Mint Debian Edition system. The -r switch does not change my results. Should I worry about a malware?

    user@tebhi ~/Desktop $ sudo unhide-linux26 sys -r
    Unhide 20110113
    http://www.unhide-forensics.info
    [*]Searching for Hidden processes through getpriority() scanning

    [*]Searching for Hidden processes through getpgid() scanning

    [*]Searching for Hidden processes through getsid() scanning

    [*]Searching for Hidden processes through sched_getaffinity() scanning

    [*]Searching for Hidden processes through sched_getparam() scanning

    [*]Searching for Hidden processes through sched_getscheduler() scanning

    [*]Searching for Hidden processes through sched_rr_get_interval() scanning

    [*]Searching for Hidden processes through kill(..,0) scanning

    [*]Searching for Hidden processes through comparison of results of system calls

    [*]Searching for Hidden processes through sysinfo() scanning

    HIDDEN Processes Found: 1 sysinfo.procs = 461 ps_count = 463

  3. Stephan, run it muliple times. If the same process number(s) keep turning up, you have a problem. If they don’t, the processes flagged a most likely legitimate ones that simply terminated before unhide was able process them.

    Odds will be real high that ‘unhide-tcp’ will turn up hidden control ports for the malware infesting your system.

    [Reply]

Leave a comment

Your email address will not be published. Required fields are marked *