unhide

unhide---What is it?

Finds hidden processes.

C version

http://www.unhide-forensics.info/?Linux

Unpack

 " $ tar xvf unhide*.tgz

Compile executables

" $ su -
# cd /pathway2/unhide*
# gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
# gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp

**Install **

# cp unhide-linux /usr/local/bin/ && cp unhide-tcp /usr/local/bin/
# ln -s /usr/local/bin/unhide-linux /usr/local/bin/unhide

Recommended: test the unhide command prior to using with RKH

" su -
#  unhide -v quick > /tmp/quick
# cat /tmp/quick

Unhide 20121229
Copyright © 2012 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
NOTE : This version of unhide is for systems using Linux >= 2.6
Used options: verbose
*]Searching for Hidden processes through comparison of results
of system calls, proc, dir and ps

# unhide --help (shows other options)

---

rkhunter.conf edit I suggest

353 DISABLE_TESTS="suspscan deleted_files packet_cap_apps"

lines 1157 & 1167 & 1181 --- from raw config already good

If you have not run your first scan then
Jump back to initial config Page

Below assumes you have done initial CONF and run your first scan.
If you elected not to edit CONF prior to first scan, remember to run propupd to update your database for your changed conf file on your next scan.

Log snippet using unhide C version

17:53:10] Info: Starting test name 'hidden_procs'
17:53:10] Info: Found the 'unhide' command: /usr/local/bin/unhide
17:53:11] Info: Found 'unhide' command version: 20121229
17:53:35] Using command '/usr/local/bin/unhide sys' ( None found ]
17:53:35] Checking for hidden processes ( None found ]

irrelevant log entries culled

17:53:38] Info: Starting test name 'hidden_ports'
17:53:38] Info: Found the 'unhide-tcp' command: /usr/local/bin/unhide-tcp
17:53:39] Checking for hidden ports ( None found ]

Jump back to RKH install page please
Home Page