Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]

Posted on in Categories Linux, UNIX last updated November 24, 2011

Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

  1. The proc technique consists of comparing /proc with the output of /bin/ps.
  2. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
  3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.

FreeBSD List / Display Open Ports With sockstat Command

Posted on in Categories FreeBSD, Hardware, Howto, Monitoring, Networking last updated February 8, 2008

You can use traditional netstat / lsof command to lists open Internet or UNIX domain sockets on FreeBSD. FreeBSD comes with a simple and easy to use command called sockstat.
The -4 option only displays IPv4 sockets.

The -6 option only displays IPv6 sockets.

The -c option only displays connected sockets.

The -l option only displays listening sockets (open port).

For example, display IPv4 related open ports, enter:
# sockstat -4 -l
Output:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sendmail   653   3  tcp4   127.0.0.1:25          *:*
root     sshd       647   3  tcp4   10.20.110.2:22        *:*
root     ntpd       616   4  udp4   *:123                 *:*

Here the equivalent of netstat:
$ netstat -nat | grep LISTEN
For information read sockstat command man page:
$ man sockstat

Get Information about All Running Services Remotely

Posted on in Categories Debian Linux, FreeBSD, Gentoo Linux, Hardware, Howto, Linux last updated January 29, 2008

From my mailbag the other day I received an interesting suggestion about obtaining information regarding all running process and network connections remotely using inetd / xinetd :

SSH client can be used to execute a command(s) on a remote UNIX box. Same technique can be used to get current network and system information using netstat information:
ssh [email protected] netstat -a
ssh [email protected] netstat -tulpn

He suggests that above command can be run via inetd / xinetd so that admin can connect easily and get information using telnet from 100s UNIX boxes. All you have to do is open /etc/inetd.conf under UNIX / Linux:
# vi /etc/inetd.conf
Append following line:
netstat stream tcp nowait root /bin/netstat netstat -a
Restart inetd:
# /etc/init.d/openbsd-inetd restart
Next, use telnet to connect to the netstat service (port 15) and get network connection information:
$ telnet server-name netstat
$ telnet 192.168.1.5 15

Output:

Trying 192.168.1.5...
Connected to 192.168.1.5.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:6881                  *:*                     LISTEN     
tcp        0      0 *:6081                  *:*                     LISTEN     
tcp        0      0 *:nfs                   *:*                     LISTEN     
tcp        0      0 localhost:6082          *:*                     LISTEN     
tcp        0      0 *:54053                 *:*                     LISTEN     
tcp        0      0 *:59275                 *:*                     LISTEN     
tcp        0      0 *:netstat               *:*                     LISTEN     
tcp        0      0 *:sunrpc                *:*                     LISTEN     
tcp        0      0 localhost:webcache      *:*                     LISTEN     
tcp        0      0 *:43218                 *:*                     LISTEN     
tcp        0      0 *:domain                *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 *:telnet                *:*                     LISTEN     
tcp        0      0 *:3128                  *:*                     LISTEN     
tcp        0      0 localhost:smtp          *:*                     LISTEN     
tcp        0      1 vivek-desktop.loc:48925 bas4-kitchener06-:56662 SYN_SENT   
tcp        0      0 vivek-desktop.loc:54791 customer5673.pool:16273 ESTABLISHED
tcp        0      0 vivek-desktop.loc:38398 59.94.1xx.yy:45483      ESTABLISHED
tcp        0      0 vivek-desktop.loc:42048 60.21.zz.yyy:23235       ESTABLISHED
...........
....
....
unix  3      [ ]         STREAM     CONNECTED     15973    
unix  3      [ ]         STREAM     CONNECTED     15947    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     15946    
unix  3      [ ]         STREAM     CONNECTED     15936    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     15935    
unix  2      [ ]         DGRAM                    15931    
unix  3      [ ]         STREAM     CONNECTED     15916    
unix  3      [ ]         STREAM     CONNECTED     15915    
unix  2      [ ]         DGRAM                    15906    
Connection closed by foreign host.

There are few problems with this solution:
a] Unnecessary service running at port # 15

b] Telnet protocol is not secure

c] I strongly recommend using ssh and password-less login for scripts to obtain this kind of information:
ssh [email protected] netstat -a
ssh [email protected] df -H
ssh [email protected] free -m
ssh [email protected] /path/to/script.pl

Howto: Ubuntu Linux convert DHCP network configuration to static IP configuration

Posted on in Categories Ubuntu Linux last updated July 27, 2007

My friend wanted to know how to change or convert DHCP network configuration to static configuration. After initial installation, he wanted to change network settings. Further, his system is w/o GUI system aka X Windows. Here is quick way to accomplish the same:

Your main network configuration file is /etc/network/interfaces

Desired new sample settings:
=> Host IP address 192.168.1.100
=> Netmask: 255.255.255.0
=> Network ID: 192.168.1.0
=> Broadcast IP: 192.168.1.255
=> Gateway/Router IP: 192.168.1.254
=> DNS Server: 192.168.1.254

Open network configuration file
$ sudo vi /etc/network/interfacesOR$ sudo nano /etc/network/interfaces

Find and remove dhcp entry:
iface eth0 inet dhcp

Append new network settings:

iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254

Save and close the file. Restart the network:
$ sudo /etc/init.d/networking restart

Task: Define new DNS servers

Open /etc/resolv.conf file
$ sudo vi /etc/resolv.conf

You need to remove old DNS server assigned by DHCP server:
search myisp.com
nameserver 192.168.1.254
nameserver 202.54.1.20
nameserver 202.54.1.30

Save and close the file.

Task: Test DNS server

$ host cyberciti.biz

Network command line cheat sheet

You can also use commands to change settings. Please note that these settings are temporary and not the permanent. Use above method to make network changes permanent or GUI tool as described below.

Task: Display network interface information

$ ifconfig

Task: Take down network interface eth0 / take a network interface down

$ sudo ifconfig eth0 downOR $ sudo ifdown eth0

Task: Bring a network interface eth0 up

$ sudo ifconfig eth0 upOR$ sudo ifup eth0

Task: Change IP address and netmask from command line

Activate network interface eth0 with a new IP (192.168.1.50) / netmask:
$ sudo ifconfig eth0 192.168.1.50 netmask 255.255.255.0 up

Task: Display the routing table

$ /sbin/route OR$ /sbin/route -n
Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 ra0
172.16.114.0    *               255.255.255.0   U     0      0        0 eth0
172.16.236.0    *               255.255.255.0   U     0      0        0 eth1
default         192.168.1.254   0.0.0.0         UG    0      0        0 ra0

Task: Add a new gateway

$ sudo route add default gw 172.16.236.0

Task: Display current active Internet connections (servers and established connection)

$ netstat -nat

Task: Display open ports

$ sudo netstat -tulpOR$ sudo netstat -tulpn

Task: Display network interfaces stats (RX/TX etc)

$ netstat -i

Task: Display output for active/established connections only

$ netstat -e
$ netstat -te
$ netstat -tue

Where,

  • -t : TCP connections
  • -u : UDP connections
  • -e : Established

Task: Test network connectivity

Send ICMP ECHO_REQUEST to network hosts, routers, servers etc with ping command. This verifies connectivity exists between local host and remote network system:
$ ping router
$ ping 192.168.1.254
$ ping cyberciti.biz

See simple Linux system monitoring with ping command and scripts for more information.

Task: Use GUI (Graphical Configuration) network Tool

If you are new, use GUI configuration tool, type the following command at terminal:
$ network-admin &

Above command is Ubuntu’s GUI for configuring network connections tool.

Final tip – Learn how find out more information about commands

A man page is your best friend when you wanted to learn more about particular command or syntax. For example, read detailed information about ifconfig and netstat command:
$ man ifconfig
$ man netstat

Just get a short help with all command options by appending –help option to each command:
$ netstat --help

Find out what command is used for particular task by searching the short descriptions and manual page names for the keyword:
$ man -k 'delete directory'
$ apropos -s 1 remove

Display short descriptions of a command:
$ whatis rm
$ whatis netstat

Linux offers an excellent collection of utilities, which can be use to finding the files and executables, remember you cannot memorize all the commands and files ;)

How Do I Drop or Block Attackers IP Address With Null Routes On a Linux?

Posted on in Categories Iptables, Linux, Security last updated February 1, 2016

[icon type=”iptables”]Someone might attack on your Linux based system. You can drop attacker IP using IPtables. However, you can use route or ip command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system) stopping various attacks coming from a single IP (read as spammers or hackers) using the following syntax on a Linux based system.