Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]

by on November 24, 2011 · 15 comments· LAST UPDATED November 24, 2011

in

Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

  1. The proc technique consists of comparing /proc with the output of /bin/ps.
  2. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
  3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.


Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits.

How do I Install Unhide?

It is recommended that you run this tool from read-only media. To install the same under Debian or Ubuntu Linux, enter:
# apt-get install unhide
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  rkhunter
The following NEW packages will be installed:
  unhide
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 822 kB of archives.
After this operation, 1,872 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ squeeze/main unhide amd64 20100201-1 [822 kB]
Fetched 822 kB in 5s (162 kB/s)
Selecting previously deselected package unhide.
(Reading database ... 166644 files and directories currently installed.)
Unpacking unhide (from .../unhide_20100201-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unhide (20100201-1) ...

FreeBSD: Install unhide

Type the following command to install the same using the port, enter:
# cd /usr/ports/security/unhide/
# make install clean

OR, you can install the same using the binary package, enter:
# pkg_add -r unhide
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.

How Do I Use This Tool?

You can use it as follows:
# unhide-posix proc
# unhide-posix sys

OR
# unhide-linux26 proc
# unhide-linux26 sys
# unhide-linux26 brute

Sample outputs:

Unhide 20100201
http://www.security-projects.com/?Unhide
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through  comparison of results of system calls
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1

(Fig.01: 1 hidden process found using the unhide-linux26 sys command)

# unhide-tcp
Sample outputs:

Unhide 20100201
http://www.security-projects.com/?Unhide
Starting TCP checking
Starting UDP checking

(Fig.02: No hidden ports found using the unhide-tcp command)

However, I found something interesting:
# unhide-tcp
Sample outputs:

Unhide 20100201
http://www.security-projects.com/?Unhide
Starting TCP checking
Found Hidden port that not appears in netstat: 1048
Found Hidden port that not appears in netstat: 1049
Found Hidden port that not appears in netstat: 1050
Starting UDP checking

(Fig.03: Found hidden ports using the unhide-tcp command)

The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:
# netstat -tulpn | grep 1048
# ss -lp
# ss -l | grep 1048

See also:

  1. Unhide project.
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 15 comments… read them below or add one }

1 kamal November 24, 2011 at 11:42 am

Above tips have been helpful….

Reply

2 Umid November 24, 2011 at 12:06 pm

really helpful tips, thanks a lot.
I’ll try it on my pc.

Reply

3 shk November 24, 2011 at 12:43 pm

awsome tool i must say

Reply

4 Pascal A. November 24, 2011 at 1:29 pm

Helpful tips. Thanks !

Reply

5 Francis N November 24, 2011 at 3:13 pm

yum search unhide OR yum install -y unhide

then man unhide to read more…

Good article tho..

Reply

6 Yago Jesus November 24, 2011 at 3:31 pm

Hi,

Thanks a lot for the review, one thing,there is a bug in some kenels that gives a false positive in sysinfo() scan (as seems in your tests) please in this scenario try with the flag -r to fix it

from ./unhide-linux26 –help

-r use alternate sysinfo test in meta-test

Cheers !

Reply

7 Tru November 25, 2011 at 7:39 am

So you got something running on tcp port 1048? How do I find out what is running on the port 1048?

Reply

8 Eddie T November 24, 2011 at 5:52 pm

On FreeBSD the Ports version of unhide there isn’t a “unhide-posix” command, just “unhide” and “unhide-tcp” for me once I finished compiling. Also thanks for the great recommendation!

Reply

9 dincer salih kurnaz November 25, 2011 at 2:32 pm

Thanks but where is Windows ?

Reply

10 Balaji December 22, 2011 at 11:57 am

Really helpful tips. Thanks..

Reply

11 Terence December 25, 2011 at 6:29 pm

Vivek,

I found one hidden pid using [unhide brute]. Now what?

Reply

12 ali December 30, 2011 at 9:30 am

@’dincer salih kurnaz’ you can find windows version here :: http://www.unhide-forensics.info/?Windows

Reply

13 Auto kill hidden processes with 'unhide' April 1, 2012 at 2:14 am

for P in `unhide sys | grep -v “\*” | grep -i HIDEEN | cut -f2 -d':’ | awk ‘{print $1}’`; do kill -9 $P; done;

Reply

14 Auto kill hidden processes with 'unhide' April 1, 2012 at 2:15 am

for P in `unhide sys | grep -v “\*” | grep -i HIDDEN | cut -f2 -d':’ | awk ‘{print $1}’`; do kill -9 $P; done;

Reply

15 kevin April 4, 2014 at 5:37 am

Hi, great tips. I didn’t know of this. This included with my monitoring tool for my server(SeaLion), works great to monitor all processes and keeps me updated about my system in real time. Thanks

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , ,

Previous post:

Next post: