Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]

Posted on in Categories Linux, UNIX last updated November 24, 2011

Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

  1. The proc technique consists of comparing /proc with the output of /bin/ps.
  2. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
  3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.

Get Information about All Running Services Remotely

Posted on in Categories Debian Linux, FreeBSD, Gentoo Linux, Hardware, Howto, Linux last updated January 29, 2008

From my mailbag the other day I received an interesting suggestion about obtaining information regarding all running process and network connections remotely using inetd / xinetd :

SSH client can be used to execute a command(s) on a remote UNIX box. Same technique can be used to get current network and system information using netstat information:
ssh [email protected] netstat -a
ssh [email protected] netstat -tulpn

He suggests that above command can be run via inetd / xinetd so that admin can connect easily and get information using telnet from 100s UNIX boxes. All you have to do is open /etc/inetd.conf under UNIX / Linux:
# vi /etc/inetd.conf
Append following line:
netstat stream tcp nowait root /bin/netstat netstat -a
Restart inetd:
# /etc/init.d/openbsd-inetd restart
Next, use telnet to connect to the netstat service (port 15) and get network connection information:
$ telnet server-name netstat
$ telnet 192.168.1.5 15

Output:

Trying 192.168.1.5...
Connected to 192.168.1.5.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:6881                  *:*                     LISTEN     
tcp        0      0 *:6081                  *:*                     LISTEN     
tcp        0      0 *:nfs                   *:*                     LISTEN     
tcp        0      0 localhost:6082          *:*                     LISTEN     
tcp        0      0 *:54053                 *:*                     LISTEN     
tcp        0      0 *:59275                 *:*                     LISTEN     
tcp        0      0 *:netstat               *:*                     LISTEN     
tcp        0      0 *:sunrpc                *:*                     LISTEN     
tcp        0      0 localhost:webcache      *:*                     LISTEN     
tcp        0      0 *:43218                 *:*                     LISTEN     
tcp        0      0 *:domain                *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 *:telnet                *:*                     LISTEN     
tcp        0      0 *:3128                  *:*                     LISTEN     
tcp        0      0 localhost:smtp          *:*                     LISTEN     
tcp        0      1 vivek-desktop.loc:48925 bas4-kitchener06-:56662 SYN_SENT   
tcp        0      0 vivek-desktop.loc:54791 customer5673.pool:16273 ESTABLISHED
tcp        0      0 vivek-desktop.loc:38398 59.94.1xx.yy:45483      ESTABLISHED
tcp        0      0 vivek-desktop.loc:42048 60.21.zz.yyy:23235       ESTABLISHED
...........
....
....
unix  3      [ ]         STREAM     CONNECTED     15973    
unix  3      [ ]         STREAM     CONNECTED     15947    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     15946    
unix  3      [ ]         STREAM     CONNECTED     15936    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     15935    
unix  2      [ ]         DGRAM                    15931    
unix  3      [ ]         STREAM     CONNECTED     15916    
unix  3      [ ]         STREAM     CONNECTED     15915    
unix  2      [ ]         DGRAM                    15906    
Connection closed by foreign host.

There are few problems with this solution:
a] Unnecessary service running at port # 15

b] Telnet protocol is not secure

c] I strongly recommend using ssh and password-less login for scripts to obtain this kind of information:
ssh [email protected] netstat -a
ssh [email protected] df -H
ssh [email protected] free -m
ssh [email protected] /path/to/script.pl

HP-UX: How Do I configure routing or add route?

Posted on in Categories Howto, HP-UX, Sys admin, Tips, UNIX last updated October 24, 2007

You can use route command to configure routing. Syntax is as follows:
route add net {network-address} netmask {subnet} {router-address}

Let us assume your router address is 192.168.1.254 and network ID is 192.168.1.0/24, then you can type route command as follows:
# route add net 192.168.1.0 netmask 255.255.255.0 192.168.1.254

OR

To add a default route:
# route add default 192.168.1.254

Verify that (display) routing table is updated (display routing table):
# netstat -nr

Test it i.e. try to ping or send nslookup request:
# ping mycorp.com

To flush all routing entries use command [quite handy to clean your gordian knot ;)] :
# route -f

However if I reboot HPUX box then above routing entries gets removed. To pick up your setting upon each reboot your need to configure Routes in HPUX networking configuration file – /etc/rc.config.d/netconf. To add default router/gateway 192.168.1.254:
# vi /etc/rc.config.d/netconf

Add or modify following entries

ROUTE_DESTINATION[0]="default"
ROUTE_MASK[0]=""
ROUTE_GATEWAY[0]="192.168.1.254"
ROUTE_COUNT[0]="1"
ROUTE_ARGS[0]=""

Reboot HP-UX system/server to take effect
# shutdown -ry 0