unhide - Tool to find hidden processes and TCP/UDP ports from rootkits
| Website: | http://www.unhide-forensics.info/ |
|---|---|
| License: | GPLv3 |
| Vendor: | Unixadm.org |
- Description:
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. Unhide detects hidden processes using six techniques: - compare /proc vs /bin/ps output - compare info gathered from /bin/ps with info gathered by walking thru the procfs - compare info gathered from /bin/ps with info gathered from syscalls - full PIDs space ocupation (PIDs bruteforcing) - compare /bin/ps output vs /proc, procfs walking and syscall - quick compare /proc, procfs walking and syscall vs /bin/ps output Unhide-TCP identifies TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat using two methods: - brute force of all TCP/UDP ports availables and compare with SS/netstat output - probe of all TCP/UDP ports not reported by netstat
Packages
| unhide-1.0-9.el9.20121229-x86_64 [482 KiB] |
Changelog
by Philippe Kueck (2013-01-16):
- new upstream version (beta) |
Package contents (click to display)
[f] /usr/share/man/man8/unhide.8.gz
[f] /usr/share/man/man8/unhide-tcp.8.gz [f] /usr/share/doc/unhide/README.txt [f] /usr/share/doc/unhide/NEWS [f] /usr/share/doc/unhide/LISEZ-MOI.TXT [f] /usr/share/doc/unhide/LEEME.txt [f] /usr/share/doc/unhide/COPYING [d] /usr/share/doc/unhide [f] /usr/sbin/unhide-tcp [f] /usr/sbin/unhide [f] /usr/lib/.build-id/b0/edebd08a6a356d7d264589ef87c6a0fbd02b96 [f] /usr/lib/.build-id/11/494cbf148be48661a862d146d7bf65e0359fd4 [d] /usr/lib/.build-id/b0 [d] /usr/lib/.build-id/11 [d] /usr/lib/.build-id |