unhide - Tool to find hidden processes and TCP/UDP ports from rootkits
Website: | http://www.unhide-forensics.info/ |
---|---|
License: | GPLv3 |
Vendor: | Unixadm.org |
- Description:
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. Unhide detects hidden processes using six techniques: - compare /proc vs /bin/ps output - compare info gathered from /bin/ps with info gathered by walking thru the procfs - compare info gathered from /bin/ps with info gathered from syscalls - full PIDs space ocupation (PIDs bruteforcing) - compare /bin/ps output vs /proc, procfs walking and syscall - quick compare /proc, procfs walking and syscall vs /bin/ps output Unhide-TCP identifies TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat using two methods: - brute force of all TCP/UDP ports availables and compare with SS/netstat output - probe of all TCP/UDP ports not reported by netstat
Packages
unhide-1.0-9.el8.20121229-x86_64 [473 KiB] |
Changelog
by Philippe Kueck (2013-01-16):
- new upstream version (beta) |
Package contents (click to display)
[f] /usr/share/man/man8/unhide.8.gz
[f] /usr/share/man/man8/unhide-tcp.8.gz [f] /usr/share/doc/unhide/README.txt [f] /usr/share/doc/unhide/NEWS [f] /usr/share/doc/unhide/LISEZ-MOI.TXT [f] /usr/share/doc/unhide/LEEME.txt [f] /usr/share/doc/unhide/COPYING [d] /usr/share/doc/unhide [f] /usr/sbin/unhide-tcp [f] /usr/sbin/unhide [f] /usr/lib/.build-id/f0/32a880acc7a53f3b96aa3a6b15dc61b767c134 [f] /usr/lib/.build-id/ba/a60b44e8abd8409dc1c11ac1e2cb55d120e567 [d] /usr/lib/.build-id/f0 [d] /usr/lib/.build-id/ba [d] /usr/lib/.build-id |