debian/0000755000000000000000000000000012107500476007170 5ustar debian/copyright0000644000000000000000000000255412107500461011123 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Unhide Upstream-Contact: Yago Jesus Source: http://www.unhide-forensics.info/ Files: * Copyright: 2005-2008, Yago Jesus License: GPL-3+ Files: sanity.sh Copyright: 2010, Patrick Gouin License: GPL-3+ Files: debian/* Copyright: 2007-2009, Francois Marier 2009, Daniel Baumann 2010, Christophe Monniez 2011, Julien Valroff License: GPL-3+ License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-3 file. debian/unhide.lintian-overrides0000644000000000000000000000054712107500461014024 0ustar # Since this is a forensics/security tool, we compile the binaries statically # to help prevent a hacked glibc from tampering with the results. unhide: statically-linked-binary usr/sbin/unhide-linux unhide: statically-linked-binary usr/sbin/unhide-tcp unhide: statically-linked-binary usr/sbin/unhide-posix unhide: statically-linked-binary usr/sbin/unhide_rb debian/unhide.README.Debian0000644000000000000000000000124412107500461012477 0ustar unhide for Debian ----------------- These utilities are meant to be run as root, otherwise, they will miss certain things or report false positives. False positives --------------- Grsecurity kernels seem to reserver PIDs 300 to 499. They will be reported when using unhide's brute-forcing method. Some applications can start listening on a port between the time that unhide gets the list of open ports in /bin/netstat and the time when it brute-forces ports. Run it a few times to make sure that it's not a permanent port. -- Francois Marier Thu, 06 Dec 2007 16:59:30 +1300 -- Julien Valroff Fri, 09 Mar 2012 21:53:56 +0100 debian/unhide.triggers0000644000000000000000000000003212107500461012201 0ustar activate rkhunter-propupd debian/patches/0000755000000000000000000000000012107500461010611 5ustar debian/patches/series0000644000000000000000000000002612107500461012024 0ustar 001_fix-manpages.diff debian/patches/001_fix-manpages.diff0000644000000000000000000000457612107500461014416 0ustar Description: fix minor formatting error in the manpages Author: Julien Valroff Last-Updated: 2011-06-01 --- a/man/unhide.8 +++ b/man/unhide.8 @@ -29,7 +29,7 @@ Do more checks. As of 2012\-03\-17 version, this option has only effect for the procfs, procall, checkopendir and checkchdir tests. .br -Implies -v +Implies \-v .TP \fB\-r\fR Use alternate version of sysinfo check in standard tests @@ -216,7 +216,7 @@ unhide sys proc .TP Deeper test: -unhide -m -d sys procall brute reverse +unhide \-m \-d sys procall brute reverse .SH "BUGS" .PP Report \fBunhide\fR bugs on the bug tracker on sourceforge (http://sourceforge.net/projects/unhide/) --- a/man/fr/unhide.8 +++ b/man/fr/unhide.8 @@ -214,7 +214,7 @@ unhide sys proc .TP Test le plus complet : -unhide -m -d sys procall brute reverse +unhide \-m \-d sys procall brute reverse .SH "BUGS" .PP Rapportez les bugs de \fBunhide\fR sur le bug tracker de sourceforge (http://sourceforge.net/projects/unhide/) --- a/man/unhide-tcp.8 +++ b/man/unhide-tcp.8 @@ -11,39 +11,39 @@ alternatively by /bin/netstat) through brute forcing of all TCP/UDP ports available. .br -Note : If iproute2 is not available on the system, option -n or -s SHOULD be +Note : If iproute2 is not available on the system, option \-n or \-s SHOULD be given on the command line. .PP .SH "OPTIONS" .TP -\fB\-h --help\fR +\fB\-h -\-help\fR Display help .TP \fB\--brief\fR Don't display warning messages, that's the default behavior. .TP -\fB\-f --fuser\fR +\fB\-f -\-fuser\fR Display fuser output (if available) for the hidden port .TP -\fB\-l --lsof\fR +\fB\-l -\-lsof\fR Display lsof output (if available) for the hidden port .TP -\fB\-n --netstat\fR +\fB\-n -\-netstat\fR Use /bin/netstat instead of /sbin/ss. On system with many opened ports, this can slow down the test dramatically. .TP -\fB\-s --server\fR +\fB\-s -\-server\fR Use a very quick strategy of scanning. On system with a lot of opened ports, it is hundreds times faster than ss method and ten thousands times faster than netstat method. .TP -\fB\-o --log\fR +\fB\-o -\-log\fR Write a log file (unhide-tcp-AAAA-MM-DD.log) in the current directory. .TP -\fB\-V --version\fR +\fB\-V -\-version\fR Show version and exit .TP -\fB\-v --verbose\fR +\fB\-v -\-verbose\fR Be verbose, display warning message (default : don't display). This option may be repeated more than once. .PP debian/unhide.postinst0000644000000000000000000000055412107500461012247 0ustar #!/bin/sh set -e case "${1}" in configure) # See #662588 if [ -n "$2" ]; then if dpkg --compare-versions "$2" le "20110113-3"; then update-alternatives --quiet --remove-all unhide || true fi fi ;; *) echo "prerm called with unknown argument \`${1}'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/changelog0000644000000000000000000001235712107500461011044 0ustar unhide (20121229-1) unstable; urgency=low * New upstream release * Add unhide_rb and unhide-posix to the package -- Julien Valroff Fri, 15 Feb 2013 19:14:05 +0100 unhide (20110113-4) unstable; urgency=low * Update DEP-5 URI to the final location * Use unhide-2.6 features unconditionally since Debian doesn't support pre-2.6 Linux kernels. As a consequence, drop us of alternatives, and ships unhide-2.6 as unhide (Closes: #662588) * Update to latest policy 3.9.3 -- Julien Valroff Fri, 09 Mar 2012 22:02:08 +0100 unhide (20110113-3) unstable; urgency=low * Make the package arch: linux-any as sysinfo system call is not available on kfreebsd * Drop some lintian overrides now that FTP Masters use lintian 2.5.0 * Update DEP-5 uri * Update package description to state all 6 techniques used to detect hidden processes -- Julien Valroff Tue, 25 Oct 2011 20:34:44 +0200 unhide (20110113-2) unstable; urgency=low * Previous version was rejected as FTP Masters still use lintian 2.4.x - hence re-add older overrides in this version -- Julien Valroff Wed, 01 Jun 2011 20:29:07 +0200 unhide (20110113-1) unstable; urgency=low [ Christophe Monniez ] * Merging upstream version 20100819 (Closes: #607374) * Removing isfaked-leaks patch as it seems useless now. * Fixing watch file (thanks to Guillaume Delacour). * Removing quilt option in rules. * Fixing watch file. [ Julien Valroff ] * Add myself as uploader * Imported Upstream version 20110113 * Update project homepage * Fix VCS fields * Update to new policy 3.9.2 (no changes needed) * Use 3.0 (quilt) source package format * Add rkhunter-propupd trigger call * Update lintian overrides for newer lintian versions * Remove unused ${shlibs:Depends} substitution variable * Use upstream manpages * Add README.txt and TODO files to the package * Bump debhelper compat to 8 * Add patch to fix minor formatting warnings in manpages * Update copyright information -- Julien Valroff Wed, 01 Jun 2011 19:12:15 +0200 unhide (20100201-1) unstable; urgency=low [ Christophe Monniez ] * Merging upstream version 20100201. * Refactoring isfaked-leaks patch. * Adding support for pthread at compilation time. * Updating the debhelper build-depends (should fix a lintian warning). * Bumping standards-version to 3.8.4. * Adjusting quilt build depency to make lintian happy. -- Michael Prokop Tue, 30 Mar 2010 12:45:05 +0200 unhide (20080519-6) unstable; urgency=low * Setting uploaders to Christophe. -- Daniel Baumann Wed, 29 Jul 2009 21:13:37 +0200 unhide (20080519-5) unstable; urgency=low * Using correct rfc-2822 date formats in changelog. * New maintainer (Closes: #531364). * Updating vcs fields in control. * Updating package to standards version 3.8.2. * Reformating package long-description in control. * Rewriting copyright file in machine-interpretable format. * Prefixing debhelper files with package name. * Using quilt rather than dpatch. * Using dedicated debhelper manpages file. * Using dedicated debhelper links file. * Using dedicated debhelper install file. * Removing useless debhelper dirs file. * Minimalizing rules file. * Reformating maintainer scripts. * Rewrapping README.Debian. * Removing useless whitespaces in manpages. * Addinglintian source overrides. -- Daniel Baumann Tue, 28 Jul 2009 15:32:56 +0200 unhide (20080519-4) unstable; urgency=low * Fix fd leak in isfaked() causing crashes in sched_rr_get_interval() (closes: #519730). Thanks to Fabien Tassin for the patch! * Add support for dpatch * Bump Standards-Version to 3.8.1 * Bump debhelper compatibility to 7 * debian/rules: use dh_prep and dh_lintian -- Francois Marier Wed, 18 Mar 2009 09:07:47 +1300 unhide (20080519-3) unstable; urgency=low * Fix watch file * Switch packaging to git * debian/copyright: Mention the word "copyright" (lintian notice) -- Francois Marier Wed, 18 Feb 2009 12:37:22 +1300 unhide (20080519-2) unstable; urgency=low * Fix watch file -- Francois Marier Fri, 20 Jun 2008 12:04:48 +1200 unhide (20080519-1) unstable; urgency=low * New upstream release (closes: #481578) * Bump Standards-Version to 3.8.0 * Bump debhelper compatibility to 6 -- Francois Marier Fri, 13 Jun 2008 15:25:27 +1200 unhide (20071102-2) unstable; urgency=low * Statically link binaries to make them independent from glibc (and add the appropriate lintian override) * Add the POSIX version of unhide for non-linux 2.6 kernels and have the unhide binary be provided by an alternative. (closes: #459046) Thanks to Klaus Ethgen for his awesome patch! * Update the unhide manpage to mention the fact that brute-forcing is only available on Linux 2.6 * Mention non-Linux 2.6 kernels in README.Debian -- Francois Marier Fri, 04 Jan 2008 13:38:01 -0500 unhide (20071102-1) unstable; urgency=low * Initial release (Closes: #451206) -- Francois Marier Thu, 06 Dec 2007 18:21:35 +1300 debian/control0000644000000000000000000000300112107500461010557 0ustar Source: unhide Section: admin Priority: extra Maintainer: Debian Forensics Uploaders: Christophe Monniez , Julien Valroff Build-Depends: debhelper (>= 8.0.0) Standards-Version: 3.9.3 Homepage: http://www.unhide-forensics.info Vcs-Browser: http://git.debian.org/?p=forensics/unhide.git;a=summary Vcs-Git: git://git.debian.org/forensics/unhide.git Package: unhide Architecture: linux-any Depends: ${misc:Depends} Suggests: rkhunter Description: Forensic tool to find hidden processes and ports Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. . unhide detects hidden processes using the following six techniques: * Compare /proc vs /bin/ps output * Compare info gathered from /bin/ps with info gathered by walking thru the procfs. * Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). * Full PIDs space occupation (PIDs bruteforcing) * Reverse search, verify that all thread seen by ps are also seen by the kernel (/bin/ps output vs /proc, procfs walking and syscall) * Quick compare /proc, procfs walking and syscall vs /bin/ps output . unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available. . This package can be used by rkhunter in its daily scans. debian/unhide.docs0000644000000000000000000000002012107500461011300 0ustar README.txt TODO debian/unhide.manpages0000644000000000000000000000001012107500461012142 0ustar man/*.8 debian/watch0000644000000000000000000000006012107500461010207 0ustar version=3 http://sf.net/unhide/unhide-(.+)\.tgz debian/compat0000644000000000000000000000000212107500461010360 0ustar 8 debian/rules0000755000000000000000000000104712107500461010244 0ustar #!/usr/bin/make -f %: dh $@ override_dh_auto_clean: dh_auto_clean -rm -f unhide-linux unhide-posix unhide-tcp unhide_rb -rm -f man/unhide.fr.8 man/unhide.es.8 override_dh_auto_configure: ln man/fr/unhide.8 man/unhide.fr.8 ln man/es/unhide.8 man/unhide.es.8 override_dh_auto_build: gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp gcc -Wall -O2 --static unhide_rb.c -o unhide_rb gcc --static unhide-posix.c -o unhide-posix debian/source/0000755000000000000000000000000012107500461010462 5ustar debian/source/format0000644000000000000000000000001412107500461011670 0ustar 3.0 (quilt) debian/unhide.links0000644000000000000000000000026112107500461011477 0ustar /usr/sbin/unhide-linux /usr/bin/unhide /usr/share/man/man8/unhide.8 /usr/share/man/man8/unhide-linux.8 /usr/share/man/man8/unhide.8 /usr/share/man/man8/unhide-posix.8 debian/unhide.install0000644000000000000000000000014512107500461012026 0ustar unhide-linux /usr/sbin unhide-tcp /usr/sbin unhide_rb /usr/sbin unhide-posix /usr/sbin