Discover Rootkits With Unhide
If your system has been rooted, you can't trust utilities like
ps to show processes from the rootkit. For ferreting out nasties, you'll want to check out
unhide and unhide.rb.
If you've ever encountered a rootkit, you know the symptoms -- suddenly a box is sluggish or sending out gobs of network traffic -- but running
ps aux show nothing that should be the culprit. One quick and dirty way to turn up the offending processes is to use the
unhide utility or its Ruby counterpart
unhide.rb. It's a helpful tool to have around for Linux server management.
unhide utility is available, at least, on recent releases of Debian and Ubuntu. The Ruby script is available on Launchpad, but it's not available in any of the recent releases yet. I'd recommend grabbing both -- the legacy utility seems prone to false positives. It may still be useful, but I'd have both just in case. It's also unclear whether it's still under development -- the site for the utility 404s now. Both are open source software, of course.
The use is simple -- for
unhide you have three options:
brute. The first two compare output from system information (
/proc and system calls, respectively) against
brute technique checks all process IDs. Just run (as root, naturally)
unhide brute (or whatever option) and if it finds anything it will print out the process IDs that might be a problem.
Note that you'll also find an
unhide-tcp utility. The -posix utility is for pre-2.6 Linux systems. I suppose there might be a few people still running Linux 2.4 systems, but I can't imagine that it's very many. Fewer still that are actually concerned with security.
unhide-tcp utility looks for TCP and (despite the name) UDP ports that are open, but not listed in netstat.
unhide.rb utility is run without options. So far, I've found that it has fewer false positives than
unhide on known-clean systems.
These aren't foolproof, of course -- but they're useful first-pass utilities on a system that you suspect might be compromised. It's good to have something quick-and-dirty to check for obvious signs of intrusion -- not all rootkits are written well. Next week I'll cover a couple more forensic utilities that can help search out problems a bit more thoroughly.
Joe 'Zonker' Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at firstname.lastname@example.org and follow him on Twitter.