Date: Thu, 26 Feb 2009 16:57:49 +0200 (EET) From: Nikos Ntarmos <ntarmos@cs.uoi.gr> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/132131: New port: security/unhide A forensic tool to find hidden processes and TCP/UDP ports Message-ID: <200902261457.n1QEvnQI024566@zeus.cs.uoi.gr> Resent-Message-ID: <200902261550.n1QFo27f059791@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 132131 >Category: ports >Synopsis: New port: security/unhide A forensic tool to find hidden processes and TCP/UDP ports >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Feb 26 15:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Nikos Ntarmos >Release: FreeBSD 7.1-STABLE i386 >Organization: Computer Science Dept., U. of Ioannina, Greece >Environment: System: FreeBSD ace.cs.uoi.gr 7.1-STABLE FreeBSD 7.1-STABLE #0: Mon Feb 9 02:02:57 EET 2009 ntarmos@ace.netcins.ceid.upatras.gr:/opt/obj/opt/src/sys/ACE i386 >Description: Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. It consists of two programs: unhide and unhide-tcp. unhide detects hidden processes through: * Comparison of /proc vs /bin/ps output. * Comparison of info gathered from /bin/ps with info gathered from. * Syscalls (syscall scanning). * Full PIDs space ocupation (PIDs bruteforcing). unhide-tcp identifies TCP/UDP ports that are listening but not listed in /bin/netstat by doing brute forcing of all TCP/UDP ports availables. >How-To-Repeat: >Fix: --- unhide.shar begins here --- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # unhide # unhide/Makefile # unhide/files # unhide/files/patch-Makefile # unhide/distinfo # unhide/pkg-descr # echo c - unhide mkdir -p unhide > /dev/null 2>&1 echo x - unhide/Makefile sed 's/^X//' >unhide/Makefile << '80f8b6017c513539fd5a60feb5294182' X# New ports collection makefile for: unhide X# Date created: 26 February 2009 X# Whom: ntarmos@cs.uoi.gr X# X# $FreeBSD$ X# X XPORTNAME= unhide XPORTVERSION= 20080519 XCATEGORIES= security XMASTER_SITES= http://www.security-projects.com/ XDISTNAME= ${PORTNAME}${DISTVERSION} XEXTRACT_SUFX= .tgz X XMAINTAINER= ntarmos@cs.uoi.gr XCOMMENT= A forensic tool to find hidden processes and TCP/UDP ports X XWRKSRC= ${WRKDIR}/${PORTNAME}-${DISTVERSION} XPLIST_FILES= sbin/unhide sbin/unhide-tcp XMAN8= unhide.8 unhide-tcp.8 XMANCOMPRESSED= yes X X.include <bsd.port.pre.mk> X Xpre-configure: X @${REINPLACE_CMD} -e 's/-eLf/-axH/g' -e 's/$$2/$$1/g' ${WRKSRC}/unhide.c X @${REINPLACE_CMD} -e 's/-t/-p tcp -/g' -e 's/-u/-p udp -/g' \ X ${WRKSRC}/unhide-tcp.c X X.include <bsd.port.post.mk> 80f8b6017c513539fd5a60feb5294182 echo c - unhide/files mkdir -p unhide/files > /dev/null 2>&1 echo x - unhide/files/patch-Makefile sed 's/^X//' >unhide/files/patch-Makefile << 'a9de08e4dbb8db8fa262303ddc558f88' X--- /dev/null 2009-02-26 16:27:00.000000000 +0200 X+++ Makefile 2009-02-26 16:26:45.000000000 +0200 X@@ -0,0 +1,19 @@ X+DESTDIR := /usr/local X+MANDIR := ${DESTDIR}/man X+INSTALL_PROGRAM := /usr/bin/install -s -m 0700 X+INSTALL_MAN := /usr/bin/install -m 0444 X+GZIP_CMD := /usr/bin/gzip -9 X+MKDIR_CMD := /bin/mkdir -p X+ X+all: X+ gcc unhide.c -o unhide X+ gcc unhide-tcp.c -o unhide-tcp X+ X+install: all X+ ${MKDIR_CMD} ${DESTDIR}/sbin ${MANDIR}/man8 X+ ${INSTALL_PROGRAM} unhide ${DESTDIR}/sbin/unhide X+ ${INSTALL_PROGRAM} unhide-tcp ${DESTDIR}/sbin/unhide-tcp X+ ${INSTALL_MAN} man/unhide.8 ${MANDIR}/man8 && \ X+ ${GZIP_CMD} ${MANDIR}/man8/unhide.8 X+ ${INSTALL_MAN} man/unhide-tcp.8 ${MANDIR}/man8 && \ X+ ${GZIP_CMD} ${MANDIR}/man8/unhide-tcp.8 a9de08e4dbb8db8fa262303ddc558f88 echo x - unhide/distinfo sed 's/^X//' >unhide/distinfo << '291d2a6c3bca23c2290cc1b8828e77b7' XMD5 (unhide20080519.tgz) = 1194ec0f89c6f28e8eb64fb66836f70f XSHA256 (unhide20080519.tgz) = 631bc2fb09fa05351273021fd32483e5bf4187dcdc15222335fe2ddc5d146ae3 XSIZE (unhide20080519.tgz) = 17104 291d2a6c3bca23c2290cc1b8828e77b7 echo x - unhide/pkg-descr sed 's/^X//' >unhide/pkg-descr << 'acce0e3235507f7eefa4a89c50d12e6e' XUnhide is a forensic tool to find hidden processes and TCP/UDP ports by Xrootkits / LKMs or by another hidden technique. It consists of two Xprograms: unhide and unhide-tcp. X Xunhide detects hidden processes through: X * Comparison of /proc vs /bin/ps output. X * Comparison of info gathered from /bin/ps with info gathered from. X * Syscalls (syscall scanning). X * Full PIDs space ocupation (PIDs bruteforcing). X Xunhide-tcp identifies TCP/UDP ports that are listening but not listed in X/bin/netstat by doing brute forcing of all TCP/UDP ports availables. X X XWWW: http://http://www.security-projects.com/?Unhide/ acce0e3235507f7eefa4a89c50d12e6e exit --- unhide.shar ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902261457.n1QEvnQI024566>