Discovering Hidden Ports

Security breaches often go unnoticed because they use hidden ports. You can discover any hidden ports using the unhide utility. Two versions are available online, the general unhide command and the more specific unhide-tcp. Both have similar functions, but it appears that unhide-tcp may be obsolete. Usually, it is wise to run unhide with the -f option, which generates a text log called unhide-linux.log in the current directory so you can refer back to the output.

The unhide utility uses several techniques, which are entered as sub-commands after the main command, without any hyphens. Some techniques may take several minutes to run. The techniques include:

• The brute technique: Checks every process ID. It should be run twice using the -d option to avoid false positives, such as an application running at the command line. A false positive may occur when a temporary process uses a port, and it should disappear when the process finishes. You may want to repeat this command several times to ensure that the temporary process has finished. In the documentation, this choice is called the brute force option (Figure 6).

Figure 6: Using the brute technique with unhide.

• The proc technique: Compares /proc with /bin/ps. On a clean system, the output of the two directories should match. It may be helpful to add the -v option for verbose output (Figure 7).

Figure 7: Running unhide with the proc technique in verbose mode.

• The procfs technique: Compares information from /procfs and /bin/ps. Add the -m option to run additional tests (Figure 8).

Figure 8: Using the procfs technique with unhide.

• The procall technique: Combines the proc and procfs tests (Figure 9).

Figure 9: The procall technique running in unhide.

• The quick technique: Combines the proc, procfs, and sys techniques and is about 20 times faster. The speed may result in more false positives, so the techniques might need to be run separately afterwards (Figure 10).

Figure 10: Use the quick technique in unhide to start searching for hidden ports.

• The reverse technique: Checks that all threads in /bin/ps are also in /procfs and seen by system calls. This technique is specifically designed to see if a rootkit is making /bin/ps show a fake process (Figure 11).

Figure 11: Using unhide's reverse technique is a quick way to search for hidden ports.

• The sys technique: Compares information gathered from /bin/ps with information gathered from system calls (Figure 12).

Figure 12: The sys technique used in unhide compares information gathered from /bin/ps with system calls.

When using unhide, be prepared to run several tests. Run the quick technique first and then other techniques to eliminate any false positives. The reverse technique also returns speedy results. As an extra precaution, run other tests to confirm the results.

Levelling Up

I've covered the basic commands for working with ports. You'll find many of these commands installed with sets of utilities, and all commands should be found in the repositories of most distributions. For large networks, you also might want to install nmap. nmap does numerous tests, but when checking ports it provides an interesting ports table, which lists the port number and protocol, service name, and the port's state (open, closed, filtered, or unfiltered – filtered meaning that a firewall or other network element blocks the port). However, nmap is often overkill. For small networks or standalone systems, the commands described in this article should be more than adequate for controlling ports.