If your system has been rooted, you can’t trust utilities like ps to show processes from the rootkit. For ferreting out nasties, you’ll want to check out unhide and unhide.rb.
When your system is rooted, you can’t trust most utilities to show processes from the rootkit. To identify the problem, check out unhide and unhide.rb.
If you’ve ever encountered a rootkit, you know the symptoms — suddenly a box is sluggish or sending out gobs of network traffic — but running top and ps aux show nothing that should be the culprit. One quick and dirty way to turn up the offending processes is to use the unhide utility or its Ruby counterpart unhide.rb. It’s a helpful tool to have around for Linux server management.
The unhide utility is available, at least, on recent releases of Debian and Ubuntu. The Ruby script is available on Launchpad, but it’s not available in any of the recent releases yet. I’d recommend grabbing both — the legacy utility seems prone to false positives. It may still be useful, but I’d have both just in case. It’s also unclear whether it’s still under development — the site for the utility 404s now. Both are open source software, of course.
The use is simple — for unhide you have three options: proc, sys, and brute. The first two compare output from system information (/proc and system calls, respectively) against ps. The brute technique checks all process IDs. Just run (as root, naturally) unhide brute (or whatever option) and if it finds anything it will print out the process IDs that might be a problem.
Note that you’ll also find an unhide-posix and unhide-tcp utility. The -posix utility is for pre-2.6 Linux systems. I suppose there might be a few people still running Linux 2.4 systems, but I can’t imagine that it’s very many. Fewer still that are actually concerned with security.
The unhide-tcp utility looks for TCP and (despite the name) UDP ports that are open, but not listed in netstat.
The unhide.rb utility is run without options. So far, I’ve found that it has fewer false positives than unhide on known-clean systems.
These aren’t foolproof, of course — but they’re useful first-pass utilities on a system that you suspect might be compromised. It’s good to have something quick-and-dirty to check for obvious signs of intrusion — not all rootkits are written well. Next week I’ll cover a couple more forensic utilities that can help search out problems a bit more thoroughly.
Joe ‘Zonker’
Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at jzb@zonker.net and follow him on Twitter.
Joe Brockmeier is the editorial director of the Red Hat Blog. He joined Red Hat in 2013 as part of the Open Source and Standards (OSAS) group, now the Open Source Program Office (OSPO). Prior to Red Hat, Brockmeier worked for Citrix on the Apache OpenStack project, and was the first OpenSUSE community manager for Novell between 2008-2010. Brockmeier also has an extensive history in the tech press and publishing, having been editor-in-chief of Linux Magazine, editorial director of Linux.com, and a contributor to LWN.net, ZDNet, UnixReview.com, and many others.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
