ports/132131: New port: security/unhide A forensic tool to find hidden processes and TCP/UDP ports

Nikos Ntarmos ntarmos at cs.uoi.gr
Thu Feb 26 15:50:05 UTC 2009 

>Number:         132131
>Category:       ports
>Synopsis:       New port: security/unhide A forensic tool to find hidden processes and TCP/UDP ports
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 26 15:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Nikos Ntarmos
>Release:        FreeBSD 7.1-STABLE i386
>Organization:
Computer Science Dept., U. of Ioannina, Greece
>Environment:
System: FreeBSD ace.cs.uoi.gr 7.1-STABLE FreeBSD 7.1-STABLE #0: Mon Feb 9 02:02:57 EET 2009 ntarmos at ace.netcins.ceid.upatras.gr:/opt/obj/opt/src/sys/ACE i386


	
>Description:
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by
rootkits / LKMs or by another hidden technique. It consists of two
programs: unhide and unhide-tcp.

unhide detects hidden processes through:
* Comparison of /proc vs /bin/ps output.
* Comparison of info gathered from /bin/ps with info gathered from.
* Syscalls (syscall scanning).
* Full PIDs space ocupation (PIDs bruteforcing).

unhide-tcp identifies TCP/UDP ports that are listening but not listed in
/bin/netstat by doing brute forcing of all TCP/UDP ports availables.
>How-To-Repeat:
	
>Fix:

	

--- unhide.shar begins here ---
# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	unhide
#	unhide/Makefile
#	unhide/files
#	unhide/files/patch-Makefile
#	unhide/distinfo
#	unhide/pkg-descr
#
echo c - unhide
mkdir -p unhide > /dev/null 2>&1
echo x - unhide/Makefile
sed 's/^X//' >unhide/Makefile << '80f8b6017c513539fd5a60feb5294182'
X# New ports collection makefile for:   unhide
X# Date created:        26 February 2009
X# Whom:                ntarmos at cs.uoi.gr
X#
X# $FreeBSD$
X#
X
XPORTNAME=	unhide
XPORTVERSION=	20080519
XCATEGORIES=	security
XMASTER_SITES=	http://www.security-projects.com/
XDISTNAME=	${PORTNAME}${DISTVERSION}
XEXTRACT_SUFX=	.tgz
X
XMAINTAINER=	ntarmos at cs.uoi.gr
XCOMMENT=	A forensic tool to find hidden processes and TCP/UDP ports
X
XWRKSRC=		${WRKDIR}/${PORTNAME}-${DISTVERSION}
XPLIST_FILES=	sbin/unhide sbin/unhide-tcp
XMAN8=		unhide.8 unhide-tcp.8
XMANCOMPRESSED=	yes
X
X.include <bsd.port.pre.mk>
X
Xpre-configure:
X	@${REINPLACE_CMD} -e 's/-eLf/-axH/g' -e 's/$$2/$$1/g' ${WRKSRC}/unhide.c
X	@${REINPLACE_CMD} -e 's/-t/-p tcp -/g' -e 's/-u/-p udp -/g' \
X		${WRKSRC}/unhide-tcp.c
X
X.include <bsd.port.post.mk>
80f8b6017c513539fd5a60feb5294182
echo c - unhide/files
mkdir -p unhide/files > /dev/null 2>&1
echo x - unhide/files/patch-Makefile
sed 's/^X//' >unhide/files/patch-Makefile << 'a9de08e4dbb8db8fa262303ddc558f88'
X--- /dev/null	2009-02-26 16:27:00.000000000 +0200
X+++ Makefile	2009-02-26 16:26:45.000000000 +0200
X@@ -0,0 +1,19 @@
X+DESTDIR		:= /usr/local
X+MANDIR		:= ${DESTDIR}/man
X+INSTALL_PROGRAM	:= /usr/bin/install -s -m 0700
X+INSTALL_MAN	:= /usr/bin/install -m 0444
X+GZIP_CMD	:= /usr/bin/gzip -9
X+MKDIR_CMD	:= /bin/mkdir -p
X+
X+all:
X+	gcc unhide.c -o unhide
X+	gcc unhide-tcp.c -o unhide-tcp
X+
X+install: all
X+	${MKDIR_CMD} ${DESTDIR}/sbin ${MANDIR}/man8
X+	${INSTALL_PROGRAM} unhide ${DESTDIR}/sbin/unhide
X+	${INSTALL_PROGRAM} unhide-tcp ${DESTDIR}/sbin/unhide-tcp
X+	${INSTALL_MAN} man/unhide.8 ${MANDIR}/man8 && \
X+		${GZIP_CMD} ${MANDIR}/man8/unhide.8
X+	${INSTALL_MAN} man/unhide-tcp.8 ${MANDIR}/man8 && \
X+		${GZIP_CMD} ${MANDIR}/man8/unhide-tcp.8
a9de08e4dbb8db8fa262303ddc558f88
echo x - unhide/distinfo
sed 's/^X//' >unhide/distinfo << '291d2a6c3bca23c2290cc1b8828e77b7'
XMD5 (unhide20080519.tgz) = 1194ec0f89c6f28e8eb64fb66836f70f
XSHA256 (unhide20080519.tgz) = 631bc2fb09fa05351273021fd32483e5bf4187dcdc15222335fe2ddc5d146ae3
XSIZE (unhide20080519.tgz) = 17104
291d2a6c3bca23c2290cc1b8828e77b7
echo x - unhide/pkg-descr
sed 's/^X//' >unhide/pkg-descr << 'acce0e3235507f7eefa4a89c50d12e6e'
XUnhide is a forensic tool to find hidden processes and TCP/UDP ports by
Xrootkits / LKMs or by another hidden technique. It consists of two
Xprograms: unhide and unhide-tcp.
X
Xunhide detects hidden processes through:
X   * Comparison of /proc vs /bin/ps output.
X   * Comparison of info gathered from /bin/ps with info gathered from.
X   * Syscalls (syscall scanning).
X   * Full PIDs space ocupation (PIDs bruteforcing).
X
Xunhide-tcp identifies TCP/UDP ports that are listening but not listed in
X/bin/netstat by doing brute forcing of all TCP/UDP ports availables.
X
X
XWWW: http://http://www.security-projects.com/?Unhide/
acce0e3235507f7eefa4a89c50d12e6e
exit
--- unhide.shar ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list