How to find hidden processes and ports on Linux/Unix/Windows

Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tool works under Linux, Unix-like system, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

  1. The proc technique consists of comparing /proc with the output of /bin/ps.
  2. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
  3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.

Most rootkits/malware use the power of the kernel to hide, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors, and possible local exploits.
How to find hidden process and ports on Linux, Unix, FreeBSD and Windows
This page describes how to install unhide and search for hidden process and TCP/UDP ports.

How do I Install Unhide?

It is recommended that you run this tool from read-only media. To install the same under a Debian or Ubuntu Linux, type the following apt-get command/apt command:
$ sudo apt-get install unhide
Sample outputs:

[sudo] password for vivek: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 46.6 kB of archives.
After this operation, 136 kB of additional disk space will be used.
Get:1 artful/universe amd64 unhide amd64 20130526-1 [46.6 kB]
Fetched 46.6 kB in 0s (49.0 kB/s)
Selecting previously unselected package unhide.
(Reading database ... 205367 files and directories currently installed.)
Preparing to unpack .../unhide_20130526-1_amd64.deb ...
Unpacking unhide (20130526-1) ...
Setting up unhide (20130526-1) ...
Processing triggers for man-db ( ...

How to install unhide on a RHEL/CentOS/Oracle/Scientific/Fedora Linux

Type the following yum command (first turn on EPLE repo on a CentOS/RHEL version 6.x or version 7.x):
$ sudo yum install unhide
If you are using a Fedora Linux, type the following dnf command:
$ sudo dnf install unhide

How to install unhide on an Arch Linux

Type the following pacman command:
$ sudo pacman -S unhide

FreeBSD: Install unhide

Type the following command to install unhide using the port, enter:
# cd /usr/ports/security/unhide/
# make install clean

OR, you can install the same using the binary package with help of pkg command:
# pkg install unhide
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat or /bin/ss command through brute forcing of all TCP/UDP ports available.

How do I use unhide tool?

The syntax is:
unhide [options] test_list
Test_list is one or more of the following standard tests:

  1. brute
  2. proc
  3. procall
  4. procfs
  5. quick
  6. reverse
  7. sys

Elementary tests:

  1. checkbrute
  2. checkchdir
  3. checkgetaffinity
  4. checkgetparam
  5. checkgetpgid
  6. checkgetprio
  7. checkRRgetinterval
  8. checkgetsched
  9. checkgetsid
  10. checkkill
  11. checknoprocps
  12. checkopendir
  13. checkproc
  14. checkquick
  15. checkreaddir
  16. checkreverse
  17. checksysinfo
  18. checksysinfo2
  19. checksysinfo3

You can use it as follows:
# unhide proc
# unhide sys
# unhide quick

Sample outputs:

Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
NOTE : This version of unhide is for systems using Linux >= 2.6 
Used options: 
[*]Searching for Hidden processes through  comparison of results of system calls, proc, dir and ps

How to use unhide-tcp forensic tool that identifies TCP/UDP ports

From the man page:

unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed by /sbin/ss (or alternatively by /bin/netstat) through brute forcing of all TCP/UDP ports available.
Note1 : On FreeBSD ans OpenBSD, netstat is allways used as iproute2 doesn’t exist on these OS. In addition, on FreeBSD, sockstat is used instead of fuser.
Note2 : If iproute2 is not available on the system, option -n or -s SHOULD be given on the command line.

# unhide-tcp
Sample outputs:

Unhide 20100201

Starting TCP checking

Starting UDP checking

(Fig.02: No hidden ports found using the unhide-tcp command)

However, I found something interesting:
# unhide-tcp
Sample outputs:

Unhide 20100201

Starting TCP checking

Found Hidden port that not appears in netstat: 1048
Found Hidden port that not appears in netstat: 1049
Found Hidden port that not appears in netstat: 1050
Starting UDP checking

The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:
# netstat -tulpn | grep 1048
# ss -lp
# ss -l | grep 1048

For more info read man pages by typing the following command:
$ man unhide
$ man unhide-tcp

A note about Windows users

You can grab the WinUnhide/WinUnhide-TCP by visiting this page.

See also:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 16 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
16 comments… add one
  • kamal Nov 24, 2011 @ 11:42

    Above tips have been helpful….

  • Umid Nov 24, 2011 @ 12:06

    really helpful tips, thanks a lot.
    I’ll try it on my pc.

  • shk Nov 24, 2011 @ 12:43

    awsome tool i must say

  • Pascal A. Nov 24, 2011 @ 13:29

    Helpful tips. Thanks !

  • Francis N Nov 24, 2011 @ 15:13

    yum search unhide OR yum install -y unhide

    then man unhide to read more…

    Good article tho..

  • Yago Jesus Nov 24, 2011 @ 15:31


    Thanks a lot for the review, one thing,there is a bug in some kenels that gives a false positive in sysinfo() scan (as seems in your tests) please in this scenario try with the flag -r to fix it

    from ./unhide-linux26 –help

    -r use alternate sysinfo test in meta-test

    Cheers !

    • Tru Nov 25, 2011 @ 7:39

      So you got something running on tcp port 1048? How do I find out what is running on the port 1048?

  • Eddie T Nov 24, 2011 @ 17:52

    On FreeBSD the Ports version of unhide there isn’t a “unhide-posix” command, just “unhide” and “unhide-tcp” for me once I finished compiling. Also thanks for the great recommendation!

  • dincer salih kurnaz Nov 25, 2011 @ 14:32

    Thanks but where is Windows ?

    • bob woods Feb 3, 2017 @ 21:07


  • Balaji Dec 22, 2011 @ 11:57

    Really helpful tips. Thanks..

  • Terence Dec 25, 2011 @ 18:29


    I found one hidden pid using [unhide brute]. Now what?

  • ali Dec 30, 2011 @ 9:30

    @’dincer salih kurnaz’ you can find windows version here ::

  • Auto kill hidden processes with 'unhide' Apr 1, 2012 @ 2:14

    for P in `unhide sys | grep -v “*” | grep -i HIDEEN | cut -f2 -d’:’ | awk ‘{print $1}’`; do kill -9 $P; done;

  • Auto kill hidden processes with 'unhide' Apr 1, 2012 @ 2:15

    for P in `unhide sys | grep -v “*” | grep -i HIDDEN | cut -f2 -d’:’ | awk ‘{print $1}’`; do kill -9 $P; done;

  • kevin Apr 4, 2014 @ 5:37

    Hi, great tips. I didn’t know of this. This included with my monitoring tool for my server(SeaLion), works great to monitor all processes and keeps me updated about my system in real time. Thanks

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum