From a398b1614d419c355b6732c4d60c6d1ff70f3c19 Mon Sep 17 00:00:00 2001 From: fan Li <15201710458@163.com> Date: Sun, 21 Jan 2018 15:38:33 +0800 Subject: [PATCH 1/2] Delete 20111124 How to find hidden processes and ports on Linux-Unix-Windows.md --- ...ocesses and ports on Linux-Unix-Windows.md | 208 ------------------ 1 file changed, 208 deletions(-) delete mode 100644 sources/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md diff --git a/sources/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md b/sources/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md deleted file mode 100644 index 15b667f3d2..0000000000 --- a/sources/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md +++ /dev/null @@ -1,208 +0,0 @@ -Translating by ljgibbslf - -How to find hidden processes and ports on Linux/Unix/Windows -====== -Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tool works under Linux, Unix-like system, and MS-Windows operating systems. From the man page: - -> It detects hidden processes using three techniques: -> -> 1. The proc technique consists of comparing /proc with the output of [/bin/ps][1]. -> 2. The sys technique consists of comparing information gathered from [/bin/ps][1] with information gathered from system calls. -> 3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels. -> - - - -Most rootkits/malware use the power of the kernel to hide, they are only visible from within the kernel. You can use unhide or tool such as [rkhunter to scan for rootkits, backdoors, and possible][2] local exploits. -[![How to find hidden process and ports on Linux, Unix, FreeBSD and Windows][3]][3] -This page describes how to install unhide and search for hidden process and TCP/UDP ports. - -### How do I Install Unhide? - -It is recommended that you run this tool from read-only media. To install the same under a Debian or Ubuntu Linux, type the following [apt-get command][4]/[apt command][5]: -`$ sudo apt-get install unhide` -Sample outputs: -``` -[sudo] password for vivek: -Reading package lists... Done -Building dependency tree -Reading state information... Done -Suggested packages: - rkhunter -The following NEW packages will be installed: - unhide -0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. -Need to get 46.6 kB of archives. -After this operation, 136 kB of additional disk space will be used. -Get:1 http://in.archive.ubuntu.com/ubuntu artful/universe amd64 unhide amd64 20130526-1 [46.6 kB] -Fetched 46.6 kB in 0s (49.0 kB/s) -Selecting previously unselected package unhide. -(Reading database ... 205367 files and directories currently installed.) -Preparing to unpack .../unhide_20130526-1_amd64.deb ... -Unpacking unhide (20130526-1) ... -Setting up unhide (20130526-1) ... -Processing triggers for man-db (2.7.6.1-2) ... -``` - -### How to install unhide on a RHEL/CentOS/Oracle/Scientific/Fedora Linux - -Type the following [yum command][6] (first turn on [EPLE repo on a CentOS/RHEL version 6.x][7] or [version 7.x][8]): -`$ sudo yum install unhide` -If you are using a Fedora Linux, type the following dnf command: -`$ sudo dnf install unhide` - -### How to install unhide on an Arch Linux - -Type the following pacman command: -`$ sudo pacman -S unhide` - -### FreeBSD : Install unhide - -Type the following command to install unhide using the port, enter: -``` -# cd /usr/ports/security/unhide/ -# make install clean -``` -OR, you can install the same using the binary package with help of pkg command: -`# pkg install unhide` -**unhide-tcp** is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in [/bin/netstat][9] or [/bin/ss command][10] through brute forcing of all TCP/UDP ports available. - -### How do I use unhide tool? - -The syntax is: -` unhide [options] test_list` -Test_list is one or more of the following standard tests: - - 1. brute - 2. proc - 3. procall - 4. procfs - 5. quick - 6. reverse - 7. sys - - - -Elementary tests: - - 1. checkbrute - 2. checkchdir - 3. checkgetaffinity - 4. checkgetparam - 5. checkgetpgid - 6. checkgetprio - 7. checkRRgetinterval - 8. checkgetsched - 9. checkgetsid - 10. checkkill - 11. checknoprocps - 12. checkopendir - 13. checkproc - 14. checkquick - 15. checkreaddir - 16. checkreverse - 17. checksysinfo - 18. checksysinfo2 - 19. checksysinfo3 - - - -You can use it as follows: -``` -# unhide proc -# unhide sys -# unhide quick -``` -Sample outputs: -``` -Unhide 20130526 -Copyright © 2013 Yago Jesus & Patrick Gouin -License GPLv3+ : GNU GPL version 3 or later -http://www.unhide-forensics.info - -NOTE : This version of unhide is for systems using Linux >= 2.6 - -Used options: -[*]Searching for Hidden processes through comparison of results of system calls, proc, dir and ps -``` - -### How to use unhide-tcp forensic tool that identifies TCP/UDP ports - -From the man page: - -> unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed by /sbin/ss (or alternatively by /bin/netstat) through brute forcing of all TCP/UDP ports available. -> Note1 : On FreeBSD ans OpenBSD, netstat is allways used as iproute2 doesn't exist on these OS. In addition, on FreeBSD, sockstat is used instead of fuser. -> Note2 : If iproute2 is not available on the system, option -n or -s SHOULD be given on the command line. - -``` -# unhide-tcp -``` -Sample outputs: -``` -Unhide 20100201 -http://www.security-projects.com/?Unhide - -Starting TCP checking - -Starting UDP checking -``` - -(Fig.02: No hidden ports found using the unhide-tcp command) -However, I found something interesting: -`# unhide-tcp ` -Sample outputs: -``` -Unhide 20100201 -http://www.security-projects.com/?Unhide - - -Starting TCP checking - -Found Hidden port that not appears in netstat: 1048 -Found Hidden port that not appears in netstat: 1049 -Found Hidden port that not appears in netstat: 1050 -Starting UDP checking - -``` - -The [netstat -tulpn][11] or [ss commands][12] displayed nothing about the hidden TCP ports # 1048, 1049, and 1050: -``` -# netstat -tulpn | grep 1048 -# ss -lp -# ss -l | grep 1048 -``` -For more info read man pages by typing the following command: -``` -$ man unhide -$ man unhide-tcp -``` - -### A note about Windows users - -You can grab the WinUnhide/WinUnhide-TCP by [visiting this page][13]. - - --------------------------------------------------------------------------------- - -via: https://www.cyberciti.biz/tips/linux-unix-windows-find-hidden-processes-tcp-udp-ports.html - -作者:[Vivek Gite][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.cyberciti.biz -[1]:https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ (Linux / Unix ps command) -[2]:https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/ -[3]:https://www.cyberciti.biz/tips/wp-content/uploads/2011/11/Linux-FreeBSD-Unix-Windows-Find-Hidden-Process-Ports.jpg -[4]:https://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html (See Linux/Unix apt-get command examples for more info) -[5]://www.cyberciti.biz/faq/ubuntu-lts-debian-linux-apt-command-examples/ (See Linux/Unix apt command examples for more info) -[6]:https://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/ (See Linux/Unix yum command examples for more info) -[7]:https://www.cyberciti.biz/faq/fedora-sl-centos-redhat6-enable-epel-repo/ -[8]:https://www.cyberciti.biz/faq/installing-rhel-epel-repo-on-centos-redhat-7-x/ -[9]:https://www.cyberciti.biz/tips/linux-display-open-ports-owner.html (Linux netstat command) -[10]:https://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html -[11]:https://www.cyberciti.biz/tips/netstat-command-tutorial-examples.html -[12]:https://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html -[13]:http://www.unhide-forensics.info/?Windows:Download From 841f1c94d8850afd57a863357b5d368e830e3f7e Mon Sep 17 00:00:00 2001 From: fan Li <15201710458@163.com> Date: Sun, 21 Jan 2018 15:42:55 +0800 Subject: [PATCH 2/2] Create 20111124 How to find hidden processes and ports on Linux-Unix-Windows.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 翻译完成 之前有冲突的问题 现在重新fork一下后再pr 应该没问题了 --- ...ocesses and ports on Linux-Unix-Windows.md | 183 ++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 translated/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md diff --git a/translated/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md b/translated/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md new file mode 100644 index 0000000000..dd834e3a53 --- /dev/null +++ b/translated/tech/20111124 How to find hidden processes and ports on Linux-Unix-Windows.md @@ -0,0 +1,183 @@ +# 如何在 Linux/Unix/Windows 中发现隐藏的进程和端口 + + +unhide 是一个小巧的网络取证工具,能够发现那些借助 rootkits,LKM 等其他技术隐藏的进程和 TCP/UDP 端口。这个工具在 Linux,unix-like,Windows 等操作系统下都可以工作。根据其 man 页面的说明: + +> Unhide 通过下述三项技术来发现隐藏的进程。 +> 1. 进程相关的技术,包括将 /proc 目录与 /bin/ps 命令的输出进行比较。 +> 2. 系统相关的技术,包括将 ps 命令的输出结果同从系统调用方面得到的信息进行比较。 +> 3. 穷举法相关的技术,包括对所有的进程 ID 进行暴力求解,该技术仅限于在基于 Linux2.6 内核的系统中使用。 + +绝大多数的 Rootkits 工具或者恶意软件借助内核来实现进程隐藏,这些进程只在内核内部可见。你可以使用 unhide 或者诸如 rkhunter 等工具,扫描 rootkit 程序,后门程序以及一些可能存在的本地漏洞。 + +![本文讲解如何在多个操作系统下安装和使用unhide][1] +如何安装 unhide +----------- + +这里首先建议你在只读介质上运行这个工具。如果使用的是 Ubuntu 或者 Debian 发行版,输入下述的 apt-get/apt 命令以安装 Unhide:`$ sudo apt-get install unhide` 一切顺利的话你的命令行会输出以下内容: + + [sudo] password for vivek: + Reading package lists... Done + Building dependency tree + Reading state information... Done + Suggested packages: + rkhunter + The following NEW packages will be installed: + unhide + 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. + Need to get 46.6 kB of archives. + After this operation, 136 kB of additional disk space will be used. + Get:1 http://in.archive.ubuntu.com/ubuntu artful/universe amd64 unhide amd64 20130526-1 [46.6 kB] + Fetched 46.6 kB in 0s (49.0 kB/s) + Selecting previously unselected package unhide. + (Reading database ... 205367 files and directories currently installed.) + Preparing to unpack .../unhide_20130526-1_amd64.deb ... + Unpacking unhide (20130526-1) ... + Setting up unhide (20130526-1) ... + Processing triggers for man-db (2.7.6.1-2) ... + +如何在RHEL/CentOS/Oracle/Scientific/Fedora上安装 unhide +------------------------------------------------------------------ + +你可以使用以下的 yum 命令: + + `Sudo yum install unhide` + +在 Fedora 上则使用以下 dnf 命令: + + Sudo dnf install unhide. + +如何在 Arch 上安装 unhide +------------------- + + 键入以下 pacman 命令安装 $ sudo pacman -S unhide + +如何在 FreeBSD 上安装 unhide +---------------------- + +可以通过以下的命令使用 port 来安装 unhide + + # cd /usr/ports/security/unhide/ + # make install clean + +或者可以通过二进制文件安装hide,使用 pkg 命令安装 + + # pkg install unhide + +Unhide-tcp 取证工具通过对所有可用的 TCP/IP 端口进行暴力求解的方式,辨别所有正在监听,却没有列入 /bin/netstat 或者 /bin/ss command 目录的 TCP/IP 端口身份。 + +如何使用 unhide 工具? +--------------- + +Unhide 的语法是 `unhide [options] test_list` test_list 参数可以是以下测试列表中的一个或者多个标准测试: + + + 1. Brute + 2. proc + 3. procall + 4. procfs + 5. quick + 6. reverse + 7. sys + +基本测试: + + 1. checkbrute + 2. checkchdir + 3. checkgetaffinity + 4. checkgetparam + 5. checkgetpgid + 6. checkgetprio + 7. checkRRgetinterval + 8. checkgetsched + 9. checkgetsid + 10. checkkill + 11. checknoprocps + 12. checkopendir + 13. checkproc + 14. checkquick + 15. checkreaddir + 16. checkreverse + 17. checksysinfo + 18. checksysinfo2 + 19. checksysinfo3 + +你可以通过以下示例命令使用 unhide: + + # unhide proc + # unhide sys + # unhide quick + +示例输出: + + Unhide 20130526 + Copyright © 2013 Yago Jesus & Patrick Gouin + License GPLv3+ : GNU GPL version 3 or later + http://www.unhide-forensics.info + + NOTE : This version of unhide is for systems using Linux >= 2.6 + + Used options: + [*]Searching for Hidden processes through comparison of results of system calls, proc, dir and ps + +如何使用 unhide-tcp 工具辨明 TCP/UDP 端口的身份 +---------------------------------- + +以下是来自 man 页面的介绍 + +> unhide-tcp is a forensic tool that identifies TCP/UDP ports that are +> listening but are not listed by /sbin/ss (or alternatively by +> /bin/netstat) through brute forcing of all TCP/UDP ports available. +> Note1 : On FreeBSD ans OpenBSD, netstat is allways used as iproute2 +> doesn't exist on these OS. In addition, on FreeBSD, sockstat is used +> instead of fuser. Note2 : If iproute2 is not available on the system, +> option -n or -s SHOULD be given on the command line. + +Unhide-tcp 取证工具,通过对所有可用的 TCP/IP 端口进行暴力求解的方式,辨别所有正在监听,却没有列入 /bin/netstat 或者 /bin/ss command 目录的 TCP/IP 端口身份。请注意:对于 FreeBSD,OpenBSD系统,一般使用 iproute2,fuser 命令取代在这些操作系统上不存在的 netstat,sockstat 命令。请注意 2:如果操作系统不支持 iproute2 命令,在使用 unhide 时需要在命令上加上 -n 或者 -s 选项。 + + # `unhide-tcp` + +示例输出: + + Unhide 20100201 + http://www.security-projects.com/?Unhide + Starting TCP checking + Starting UDP checking + +上述操作中,没有发现隐藏的端口。但在下述示例中,我展示了一些有趣的事。 + + # `unhide-tcp` + +示例输出: + + Unhide 20100201 + http://www.security-projects.com/?Unhide + Starting TCP checking + Found Hidden port that not appears in netstat: 1048 + Found Hidden port that not appears in netstat: 1049 + Found Hidden port that not appears in netstat: 1050 + Starting UDP checking + +可以看到 netstat -tulpn 和 ss commands 命令确实没有反映出这三个隐藏的端口 + + # netstat -tulpn | grep 1048 + # ss -lp + # ss -l | grep 1048 + +通过下述的 man 命令可以更多地了解unhide + + $ man unhide + $ man unhide-tcp + +Windows 用户如何安装使用 unhide +--------------------- +你可以通过这个[页面][2]获取 Windows 版本的 unhide + +via: https://www.cyberciti.biz/tips/linux-unix-windows-find-hidden-processes-tcp-udp-ports.html +作者:Vivek Gite 译者:[ljgibbs][3] 校对:校对者ID +本文由 LCTT 原创编译,Linux中国 荣誉推出! + + + [1]: https://camo.githubusercontent.com/51ee31c20a799512dcd09d88cacbe8dd04731529/68747470733a2f2f7777772e6379626572636974692e62697a2f746970732f77702d636f6e74656e742f75706c6f6164732f323031312f31312f4c696e75782d467265654253442d556e69782d57696e646f77732d46696e642d48696464656e2d50726f636573732d506f7274732e6a7067 + [2]: http://www.unhide-forensics.info/?Windows:Download + [3]: https://github.com/ljgibbslf