Unhide Processes Forensics v20100201 released

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

// Unhide (ps)

Detecting hidden processes. Implements three techniques

  • Compare /proc vs /bin/ps output
  • Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning)
  • Full PIDs space ocupation (PIDs bruteforcing)

// Unhide-TCP

Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

Changelog for this new release

  • Threads Brute Force added
  • Add needed stuff (includes, defines, ...) to eliminate compilation warning. (Thanks to J. Walles)
  • Correct a typo in checkps() where fich_tmp is used in place of fich_pgid (Thanks to P. Gouin)
  • Corrected several FD leaks where files or pipes are read and closed even if they have failed to open. (Thanks to W. Doekes & P. Gouin)
  • Add warning messages if file or pipe fails to open (compatible with rkhunter use of unhide) (Thanks to W. Doekes & P. Gouin)
  • Add warning messages if a test is skipped (compatible with rkhunter use of unhide). (Thanks to P. Gouin)
  • Correct removing of leading spaces which tests one char too far for end of string in checkps(). (Thanks to P. Gouin)
  • Close fd in get_max_pid(). (Thanks to P. Gouin)
  • Close cmd_file in printbadpid(). (Thanks to P. Gouin)
  • Add display of test name in checkallnoprocps(). (Thanks to P. Gouin)
  • Close fich_processo in checksysinfo() (Thanks to W. Doekes)
  • Avoid potential buffer overflow in checksysinfo() (Thanks to W. Doekes)
  • Correct allpids[] initialization in brute() (Thanks to W. Doekes)
  • Modify brute as modifying allpid from within the forked process may have undefined results (Linux vfork() man page) (Thanks to P. Gouin)
  • Add return to main() (Thanks to W. Doekes)
  • Optimizations (Thanks to P. Gouin)

Tool Submitted by YJesus from http://www.securitybydefault.com

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only


Related Articles

Configurations checks
Forensics
Rootkits
Unhide