Name: unhide Version: 20130526 Release: 1mamba Summary: Forensic tool to find hidden processes and ports Group: Applications/Security Vendor: openmamba Distribution: openmamba Packager: Davide Madrisan URL: http://www.unhide-forensics.info/ Source: http://sourceforge.net/projects/unhide/files/unhide-%{version}.tgz License: GPL ## AUTOBUILDREQ-BEGIN ## AUTOBUILDREQ-END BuildRoot: %{_tmppath}/%{name}-%{version}-root %description Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. Unhide (ps) - Detecting hidden processes. Implements six main techniques 1. Compare /proc vs /bin/ps output 2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs. 3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). 4. Full PIDs space ocupation (PIDs bruteforcing). 5. Compare /bin/ps output vs /proc, procfs walking and syscall. Reverse search, verify that all thread seen by ps are also seen in the kernel. 6. Quick compare /proc, procfs walking and syscall vs /bin/ps output. It's about 20 times faster than tests 1+2+3 but maybe give more false positives. Unhide-TCP Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables. %prep %setup -q %build CFLAGS="%optflags" ; export CFLAGS ; # Since this is a forensics/security tool, we compile the binaries statically # to help prevent a hacked glibc from tampering with the results. %{__cc} -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide %{__cc} -Wall -O2 --static unhide_rb.c -o unhide_rb %{__cc} -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp %install [ "%{buildroot}" != / ] && rm -rf "%{buildroot}" install -d %{buildroot}%{_sbindir} for f in unhide unhide_rb unhide-tcp; do install -m 755 $f %{buildroot}%{_sbindir}/$f done install -d %{buildroot}%{_mandir}/man8 install -m 644 man/unhide.8 %{buildroot}%{_mandir}/man8/unhide.8 install -m 644 man/unhide-tcp.8 %{buildroot}%{_mandir}/man8/unhide-tcp.8 %clean [ "%{buildroot}" != / ] && rm -rf "%{buildroot}" %files %defattr(-,root,root) %{_sbindir}/%{name}* %{_mandir}/man8/unhide.* %{_mandir}/man8/unhide-tcp.* %doc COPYING #README.txt TODO %changelog * Mon May 27 2013 Automatic Build System 20130526-1mamba - automatic version update by autodist * Thu Jan 31 2013 Automatic Build System 20121229-1mamba - automatic version update by autodist * Tue Dec 13 2011 Davide Madrisan 20110113-1mamba - package created by autospec