From 6e988a7d6c434b57c01a16711975b32d6e5b9755 Mon Sep 17 00:00:00 2001 From: Black Rider Date: Tue, 30 Aug 2011 22:05:18 -0300 Subject: [PATCH] system/unhide: Added (utility for discovering hidden processes) Signed-off-by: Niels Horn --- system/unhide/README | 12 +++++ system/unhide/slack-desc | 12 +++++ system/unhide/unhide.SlackBuild | 96 +++++++++++++++++++++++++++++++++ system/unhide/unhide.info | 10 ++++ 4 files changed, 130 insertions(+) create mode 100644 system/unhide/README create mode 100644 system/unhide/slack-desc create mode 100644 system/unhide/unhide.SlackBuild create mode 100644 system/unhide/unhide.info diff --git a/system/unhide/README b/system/unhide/README new file mode 100644 index 0000000000..a5c77eb447 --- /dev/null +++ b/system/unhide/README @@ -0,0 +1,12 @@ +Unhide is a forensic tool to find processes and TCP/UCP ports hidden by +rootkits, Linux kernel modules or by other techniques. It includes unhide +and unhide-tcp. + +NOTES: The SlackBuild script builds only unhide-tcp and unhide-linux26. +The original unhide for 2.4 kernels is not built for obvious reasons. +unhide-linux26 has been linked to "unhide", as many apps (rkhunter, for +example) expect to find it here. This is also the solution chosen by many +distributions. + +Remember to run unhide as root only. Failing to do so could result in +a massive arrival of false positives. diff --git a/system/unhide/slack-desc b/system/unhide/slack-desc new file mode 100644 index 0000000000..9f2e305265 --- /dev/null +++ b/system/unhide/slack-desc @@ -0,0 +1,12 @@ +# |-----handy-ruler------------------------------------------------------| +unhide: unhide (utility for discovering hidden processes) +unhide: +unhide: Unhide is a forensic tool to find porcesses and TCP/UCP ports hidden +unhide: by rootkits, Linux kernel modules or by other techniques. It includes +unhide: unhide-linux26 and unhide-tcp. +unhide: +unhide: http://www.unhide-forensics.info +unhide: +unhide: +unhide: +unhide: diff --git a/system/unhide/unhide.SlackBuild b/system/unhide/unhide.SlackBuild new file mode 100644 index 0000000000..ca5080caad --- /dev/null +++ b/system/unhide/unhide.SlackBuild @@ -0,0 +1,96 @@ +#!/bin/sh + +# SlackBuild script for Unhide. + +# This script is of public domain. It can be distributed, modified and used as desired. +# Based on the PorteusBuild written by the same author at www.porteus.org/forum + +# Black Rider [black_rider@esdebian.org] + +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=unhide +VERSION=20110113 +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tgz +cd $PRGNAM-$VERSION +chown -R root:root . +chmod -R u+w,go+r-w,a-s . + +# gcc --static unhide.c -o unhide #### This is an obsolete version. +gcc $SLKCFLAGS --static unhide-tcp.c -o unhide-tcp +gcc $SLKCFLAGS -Wall --static -pthread unhide-linux26.c -o unhide-linux26 + +# We put the binaries and documents in their right places +mkdir -p $PKG/usr/sbin +install -m0700 unhide-tcp unhide-linux26 $PKG/usr/sbin + +# We make a symlink so any call to "unhide" reaches "unhide-linux26". This is the +# solution accepted by many distributions. +cd $PKG/usr/sbin + ln -s unhide-linux26 unhide +cd - + +# Copy man pages +mkdir -p $PKG/usr/man/{,es/,fr/}man8 +cp man/unhide{,-tcp}.8 $PKG/usr/man/man8 +cp man/es/unhide.8 $PKG/usr/man/es/man8 +cp man/fr/unhide.8 $PKG/usr/man/fr/man8 +find $PKG/usr/man -type f -exec gzip -9 {} \; + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp \ + COPYING LEEME.txt LISEZ-MOI.TXT README.txt TODO changelog \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/unhide/unhide.info b/system/unhide/unhide.info new file mode 100644 index 0000000000..60a409d523 --- /dev/null +++ b/system/unhide/unhide.info @@ -0,0 +1,10 @@ +PRGNAM="unhide" +VERSION="20110113" +HOMEPAGE="http://www.unhide-forensics.info" +DOWNLOAD="http://downloads.sourceforge.net/unhide/unhide-20110113.tgz" +MD5SUM="0dff8ee5029615f1f81db96dcf6758f7" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="Black Rider" +EMAIL="black_rider@esdebian.org" +APPROVED="Niels Horn"