Unhide is a lightweight network forensics tool designed to detect processes and TCP/UDP ports that are hidden using rootkits, loadable kernel modules (LKM), or other stealth techniques. It is compatible with Linux, UNIX-based systems, and even Windows. According to its manual page, Unhide identifies hidden processes through three primary methods: process-related, system-related, and brute-force techniques.
The process-related method involves comparing the contents of the `/proc` directory with the output from the `/bin/ps` command. The system-related approach compares the results of the `ps` command with data obtained directly from system calls. The brute-force technique, which is only applicable on Linux 2.6 kernels, exhaustively checks all possible process IDs to uncover hidden processes.
Most rootkits and malware hide processes at the kernel level, making them invisible to standard tools. To detect such threats, you can use Unhide or similar tools like rkhunter to scan for rootkits, backdoors, and local vulnerabilities.
This guide will walk you through installing Unhide and using it to find hidden processes and TCP/UDP ports. Below is an image showing the installation and usage steps.
### How to Install Unhide
On Ubuntu or Debian-based systems, you can install Unhide using the following command:
```bash
sudo apt-get install unhide
```
If everything goes smoothly, you should see output confirming the installation of the `unhide` package.
For RHEL/CentOS/Oracle/Fedora systems, first enable the EPEL repository and then run:
```bash
sudo yum install unhide
```
On Fedora, use:
```bash
sudo dnf install unhide
```
For Arch Linux:
```bash
sudo pacman -S unhide
```
On FreeBSD, you can install via ports:
```bash
cd /usr/ports/security/unhide/
make install clean
```
Or use the `pkg` command:
```bash
pkg install unhide
```
### How to Use the Unhide Tool
The basic syntax for Unhide is:
```bash
unhide [options] test_list
```
The `test_list` parameter includes various tests such as `Brute`, `Proc`, `Sys`, `Quick`, and others. You can run it with commands like:
```bash
sudo unhide proc
sudo unhide sys
sudo unhide quick
```
### Using Unhide-TCP to Detect Hidden Ports
Unhide also comes with a companion tool called `unhide-tcp`, which helps identify TCP/IP ports that are listening but not shown in `netstat` or `ss`. This is especially useful for detecting hidden services.
Example command:
```bash
sudo unhide-tcp
```
Sample output might show hidden ports that aren't visible in standard tools:
```
Found Hidden port that not appears in netstat: 1048
Found Hidden port that not appears in netstat: 1049
Found Hidden port that not appears in netstat: 1050
```
You can verify this by checking with `netstat` or `ss`:
```bash
netstat -tulpn | grep 1048
ss -lp | grep 1048
```
These ports may be hidden due to rootkit activity or other malicious behavior.
To learn more about Unhide, use the man pages:
```bash
man unhide
man unhide-tcp
```
By using these tools, you can enhance your system's security and detect potential threats that may otherwise go unnoticed.
Microcomputer Integrated Measurement And Control Device
Measurement And Control Device,Microcomputer Protector,Bus Comprehensive Protection Measurement,Pt Parallel Device
zhejiangjinyidianqiyouxiangongsi , https://www.jooeei.com