1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
Source: unhide
Section: admin
Priority: optional
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Uploaders:
Build-Depends: debhelper-compat (= 12)
Standards-Version: 4.4.1
Rules-Requires-Root: no
Homepage: http://www.unhide-forensics.info
Vcs-Browser: https://salsa.debian.org/pkg-security-team/unhide
Vcs-Git: https://salsa.debian.org/pkg-security-team/unhide.git
Package: unhide
Architecture: any
Depends: ${misc:Depends}, ${shlibs:Depends}
Suggests: rkhunter
Description: Forensic tool to find hidden processes and ports
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
rootkits, Linux kernel modules or by other techniques. It includes two
utilities: unhide and unhide-tcp.
.
unhide detects hidden processes using the following six techniques:
* Compare /proc vs /bin/ps output
* Compare info gathered from /bin/ps with info gathered by walking thru the
procfs.
* Compare info gathered from /bin/ps with info gathered from syscalls
(syscall scanning).
* Full PIDs space occupation (PIDs bruteforcing)
* Reverse search, verify that all thread seen by ps are also seen by the
kernel (/bin/ps output vs /proc, procfs walking and syscall)
* Quick compare /proc, procfs walking and syscall vs /bin/ps output
.
unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
/bin/netstat through brute forcing of all TCP/UDP ports available.
.
This package can be used by rkhunter in its daily scans.
.
This package is useful for network security checks, in addition to forensics
investigations.
|
