Unhide is a small network forensics tool that discovers processes and TCP/UDP ports that are hidden with rootkits, LKM, and other technologies. This tool works on Linux, UNIX classes, MS-Windows and other operating systems. According to the description of its man page:
Unhide discovers hidden processes through the following three techniques.
Process-related techniques, including comparing the /proc directory with the output of the /bin/ps command.
System-related techniques, including comparing the output of the /bin/ps command with information obtained from system calls.
Exhaustive law-related technologies, including violent solution for all process IDs, are limited to use in systems based on the Linux 2.6 kernel.
Most rootkit tools or malware use the kernel to implement process hiding, which are only visible inside the kernel. You can use unhide or tools like rkhunter to scan rootkit programs, backdoors, and some local vulnerabilities that may exist.
This article describes how to install unhide and search for hidden processes and TCP/UDP ports.
How to install unhide
First, it is recommended that you run this tool on read-only media. If you are using an Ubuntu or Debian distribution, enter the following apt-get/apt command to install Unhide:
$sudo apt-get install unhide
If all goes well, your command line will output the following:
[sudo]password forvivek:
Reading packagelists...Done
Building dependency tree
Reading state information...Done
Suggested packages:
Rkhunter
The following NEWpackages will be installed:
Unhide
0upgraded, 1newly installed, 0toremove and0notupgraded.
Need toget46.6kB of archives.
After thisoperation, 136kB of additional disk space will be used.
Get:1http://in.archive.ubuntu.com/ubuntu artful/universe amd64 unhide amd64 20130526-1 [46.6 kB]
Fetched46.6kB in0s (49.0kB/s)
Selecting previously unselected packageunhide.
(Reading database...205367files anddirectories currently installed.)
Preparing tounpack.../unhide_20130526-1_amd64.deb...
Unpacking unhide(20130526-1)...
Setting up unhide(20130526-1)...
Processing triggers forman-db(2.7.6.1-2)...
How to install unhide on RHEL/CentOS/Oracle/Scientific/Fedora
Enter the following yum Type the following yum command (first turn on EPLE repo on a CentOS/RHEL version 6.x or version 7.x):
Enter the following yum command (open the EPEL repository first on CentOS/RHEL 6.x or 7.x):
$sudo yum install unhide
On Fedora, use the following dnf command:
$sudo dnf install unhide
How to install unhide on Arch
Type the following pacman command to install:
$sudo pacman -Sunhide
How to install unhide on FreeBSD
You can use the port to install unhide with the following command:
# cd /usr/ports/security/unhide/
# make install clean
Or you can install hide through a binary file and install it using the pkg command:
# pkg install unhide
How to use the unhide tool?
The syntax of unhide is:
Unhide[options]test_list
The test_list parameter can be one or more standard tests in the following test list:
Brute
Proc
Procall
Procfs
Quick
Reverse
Sys
Or basic test:
Checkbrute
Checkchdir
Checkgetaffinity
Checkgetparam
Checkgetpgid
Checkgetprio
checkRRgetinterval
Checkgetsched
Checkgetsid
Checkkill
Checknoprocps
Checkopendir
Checkproc
Checkquick
Checkreaddir
Checkreverse
Checksysinfo
Checksysinfo2
Checksysinfo3
You can use unhide with the following example command:
# unhide proc
# unhide sys
# unhide quick
Sample output:
Unhide20130526
Copyright©2013Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version3orlater
Http://
NOTE : Thisversion of unhide isforsystems using Linux >= 2.6
Used options:
[*]Searching forHidden processes through comparison of results of system calls, proc, dir andps
How to use the unhide-tcp tool to identify the identity of a TCP/UDP port
The following is an introduction from the man page:
The unhide-tcp forensics tool identifies all TCP/IP port identities that are listening, but not listed in the /bin/netstat or /bin/ss command, by violently solving all available TCP/IP ports.
Note 1: For FreeBSD and OpenBSD systems, the netstat command is generally used to replace iproute2 that does not exist on these operating systems. In addition, the sockstat command is also used to replace the fuser.
Note 2: If the operating system does not support the iproute2 command, you need to add the -n or -s option to the command when using unhide.
# unhide-tcp
Sample output:
Unhide20100201
Http://?Unhide
Starting TCP checking
Starting UDP checking
In the above operation, no hidden ports were found.
But in the example below, I showed some interesting things.
# unhide-tcp
Sample output:
Unhide20100201
Http://?Unhide
Starting TCP checking
Found Hidden port that notappears innetstat: 1048
Found Hidden port that notappears innetstat: 1049
Found Hidden port that notappears innetstat: 1050
Starting UDP checking
You can see that the netstat -tulpn and ss commands do not reflect these three hidden ports:
# netstat -tulpn | grep 1048
# ss -lp
# ss -l | grep 1048
Learn more about unhide with the man command described below:
$man unhide
$man unhide-tcp
High efficient charging speed for Samsung laptop, stable current outlet can offer power for the laptop at the same time charge the laptop battery. The best choice for your replacement adapter. We can meet your specific requirement of the products, like label design. The plug type is US/UK/AU/EU. The material of this product is PC+ABS. All condition of our product is 100% brand new.
Our products built with input/output overvoltage protection, input/output overcurrent protection, over temperature protection, over power protection and short circuit protection. You can send more details of this product, so that we can offer best service to you!
Samsung Adapter,Charger For Samsung,Power Supply For Samsung,Laptop Charger For Samsung
Shenzhen Waweis Technology Co., Ltd. , https://www.szwaweischarger.com