From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Feb 26 15:50:03 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 061B6106566B for ; Thu, 26 Feb 2009 15:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CD4BF8FC1E for ; Thu, 26 Feb 2009 15:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1QFo2aW059792 for ; Thu, 26 Feb 2009 15:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1QFo27f059791; Thu, 26 Feb 2009 15:50:02 GMT (envelope-from gnats) Resent-Date: Thu, 26 Feb 2009 15:50:02 GMT Resent-Message-Id: <200902261550.n1QFo27f059791@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nikos Ntarmos Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D38F1065673 for ; Thu, 26 Feb 2009 15:47:54 +0000 (UTC) (envelope-from ntarmos@cs.uoi.gr) Received: from gaia.cs.uoi.gr (gaia.cs.uoi.gr [195.130.121.201]) by mx1.freebsd.org (Postfix) with ESMTP id 6D1E88FC29 for ; Thu, 26 Feb 2009 15:47:53 +0000 (UTC) (envelope-from ntarmos@cs.uoi.gr) Received: from zeus.cs.uoi.gr (zeus.cs.uoi.gr [195.130.121.11]) by gaia.cs.uoi.gr (8.14.1/8.14.1) with ESMTP id n1QEvwZp084600 for ; Thu, 26 Feb 2009 16:58:03 +0200 (EET) (envelope-from ntarmos@cs.uoi.gr) Received: from zeus.cs.uoi.gr (localhost [127.0.0.1]) by zeus.cs.uoi.gr (8.13.5/8.13.5) with ESMTP id n1QEvpmO024567 for ; Thu, 26 Feb 2009 16:57:56 +0200 (EET) Received: (from ntarmos@localhost) by zeus.cs.uoi.gr (8.13.5/8.13.5/Submit) id n1QEvnQI024566; Thu, 26 Feb 2009 16:57:49 +0200 (EET) Message-Id: <200902261457.n1QEvnQI024566@zeus.cs.uoi.gr> Date: Thu, 26 Feb 2009 16:57:49 +0200 (EET) From: Nikos Ntarmos To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/132131: New port: security/unhide A forensic tool to find hidden processes and TCP/UDP ports X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nikos Ntarmos List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 15:50:05 -0000 >Number: 132131 >Category: ports >Synopsis: New port: security/unhide A forensic tool to find hidden processes and TCP/UDP ports >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Feb 26 15:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Nikos Ntarmos >Release: FreeBSD 7.1-STABLE i386 >Organization: Computer Science Dept., U. of Ioannina, Greece >Environment: System: FreeBSD ace.cs.uoi.gr 7.1-STABLE FreeBSD 7.1-STABLE #0: Mon Feb 9 02:02:57 EET 2009 ntarmos@ace.netcins.ceid.upatras.gr:/opt/obj/opt/src/sys/ACE i386 >Description: Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. It consists of two programs: unhide and unhide-tcp. unhide detects hidden processes through: * Comparison of /proc vs /bin/ps output. * Comparison of info gathered from /bin/ps with info gathered from. * Syscalls (syscall scanning). * Full PIDs space ocupation (PIDs bruteforcing). unhide-tcp identifies TCP/UDP ports that are listening but not listed in /bin/netstat by doing brute forcing of all TCP/UDP ports availables. >How-To-Repeat: >Fix: --- unhide.shar begins here --- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # unhide # unhide/Makefile # unhide/files # unhide/files/patch-Makefile # unhide/distinfo # unhide/pkg-descr # echo c - unhide mkdir -p unhide > /dev/null 2>&1 echo x - unhide/Makefile sed 's/^X//' >unhide/Makefile << '80f8b6017c513539fd5a60feb5294182' X# New ports collection makefile for: unhide X# Date created: 26 February 2009 X# Whom: ntarmos@cs.uoi.gr X# X# $FreeBSD$ X# X XPORTNAME= unhide XPORTVERSION= 20080519 XCATEGORIES= security XMASTER_SITES= http://www.security-projects.com/ XDISTNAME= ${PORTNAME}${DISTVERSION} XEXTRACT_SUFX= .tgz X XMAINTAINER= ntarmos@cs.uoi.gr XCOMMENT= A forensic tool to find hidden processes and TCP/UDP ports X XWRKSRC= ${WRKDIR}/${PORTNAME}-${DISTVERSION} XPLIST_FILES= sbin/unhide sbin/unhide-tcp XMAN8= unhide.8 unhide-tcp.8 XMANCOMPRESSED= yes X X.include X Xpre-configure: X @${REINPLACE_CMD} -e 's/-eLf/-axH/g' -e 's/$$2/$$1/g' ${WRKSRC}/unhide.c X @${REINPLACE_CMD} -e 's/-t/-p tcp -/g' -e 's/-u/-p udp -/g' \ X ${WRKSRC}/unhide-tcp.c X X.include 80f8b6017c513539fd5a60feb5294182 echo c - unhide/files mkdir -p unhide/files > /dev/null 2>&1 echo x - unhide/files/patch-Makefile sed 's/^X//' >unhide/files/patch-Makefile << 'a9de08e4dbb8db8fa262303ddc558f88' X--- /dev/null 2009-02-26 16:27:00.000000000 +0200 X+++ Makefile 2009-02-26 16:26:45.000000000 +0200 X@@ -0,0 +1,19 @@ X+DESTDIR := /usr/local X+MANDIR := ${DESTDIR}/man X+INSTALL_PROGRAM := /usr/bin/install -s -m 0700 X+INSTALL_MAN := /usr/bin/install -m 0444 X+GZIP_CMD := /usr/bin/gzip -9 X+MKDIR_CMD := /bin/mkdir -p X+ X+all: X+ gcc unhide.c -o unhide X+ gcc unhide-tcp.c -o unhide-tcp X+ X+install: all X+ ${MKDIR_CMD} ${DESTDIR}/sbin ${MANDIR}/man8 X+ ${INSTALL_PROGRAM} unhide ${DESTDIR}/sbin/unhide X+ ${INSTALL_PROGRAM} unhide-tcp ${DESTDIR}/sbin/unhide-tcp X+ ${INSTALL_MAN} man/unhide.8 ${MANDIR}/man8 && \ X+ ${GZIP_CMD} ${MANDIR}/man8/unhide.8 X+ ${INSTALL_MAN} man/unhide-tcp.8 ${MANDIR}/man8 && \ X+ ${GZIP_CMD} ${MANDIR}/man8/unhide-tcp.8 a9de08e4dbb8db8fa262303ddc558f88 echo x - unhide/distinfo sed 's/^X//' >unhide/distinfo << '291d2a6c3bca23c2290cc1b8828e77b7' XMD5 (unhide20080519.tgz) = 1194ec0f89c6f28e8eb64fb66836f70f XSHA256 (unhide20080519.tgz) = 631bc2fb09fa05351273021fd32483e5bf4187dcdc15222335fe2ddc5d146ae3 XSIZE (unhide20080519.tgz) = 17104 291d2a6c3bca23c2290cc1b8828e77b7 echo x - unhide/pkg-descr sed 's/^X//' >unhide/pkg-descr << 'acce0e3235507f7eefa4a89c50d12e6e' XUnhide is a forensic tool to find hidden processes and TCP/UDP ports by Xrootkits / LKMs or by another hidden technique. It consists of two Xprograms: unhide and unhide-tcp. X Xunhide detects hidden processes through: X * Comparison of /proc vs /bin/ps output. X * Comparison of info gathered from /bin/ps with info gathered from. X * Syscalls (syscall scanning). X * Full PIDs space ocupation (PIDs bruteforcing). X Xunhide-tcp identifies TCP/UDP ports that are listening but not listed in X/bin/netstat by doing brute forcing of all TCP/UDP ports availables. X X XWWW: http://http://www.security-projects.com/?Unhide/ acce0e3235507f7eefa4a89c50d12e6e exit --- unhide.shar ends here --- >Release-Note: >Audit-Trail: >Unformatted: