unhide - Forensic tool to find hidden processes and ports

Property Value
Distribution Debian 8 (Jessie)
Repository Debian Main i386
Package name unhide
Package version 20121229
Package release 1+b1
Package architecture i386
Package type deb
Installed size 2.36 KB
Download size 370.28 KB
Official Mirror ftp.br.debian.org
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
rootkits, Linux kernel modules or by other techniques. It includes two
utilities: unhide and unhide-tcp.
unhide detects hidden processes using the following six techniques:
* Compare /proc vs /bin/ps output
* Compare info gathered from /bin/ps with info gathered by walking thru the
* Compare info gathered from /bin/ps with info gathered from syscalls
(syscall scanning).
* Full PIDs space occupation (PIDs bruteforcing)
* Reverse search, verify that all thread seen by ps are also seen by the
kernel (/bin/ps output vs /proc, procfs walking and syscall)
* Quick compare /proc, procfs walking and syscall vs /bin/ps output
unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
/bin/netstat through brute forcing of all TCP/UDP ports available.
This package can be used by rkhunter in its daily scans.


Package Version Architecture Repository
unhide_20121229-1+b1_amd64.deb 20121229 amd64 Debian Main
unhide - - -


Type URL
Binary Package unhide_20121229-1+b1_i386.deb
Source Package unhide

Install Howto

  1. Update the package index:
    # sudo apt-get update
  2. Install unhide deb package:
    # sudo apt-get install unhide




2013-02-15 - Julien Valroff <julien@debian.org>
unhide (20121229-1) unstable; urgency=low
* New upstream release
* Add unhide_rb and unhide-posix to the package
2012-03-09 - Julien Valroff <julien@debian.org>
unhide (20110113-4) unstable; urgency=low
* Update DEP-5 URI to the final location 
* Use unhide-2.6 features unconditionally since Debian doesn't support
pre-2.6 Linux kernels. As a consequence, drop us of alternatives, and
ships unhide-2.6 as unhide (Closes: #662588)
* Update to latest policy 3.9.3
2011-10-25 - Julien Valroff <julien@debian.org>
unhide (20110113-3) unstable; urgency=low
* Make the package arch: linux-any as sysinfo system call is not 
available on kfreebsd 
* Drop some lintian overrides now that FTP Masters use lintian 2.5.0 
* Update DEP-5 uri
* Update package description to state all 6 techniques used to detect hidden
2011-06-01 - Julien Valroff <julien@debian.org>
unhide (20110113-2) unstable; urgency=low
* Previous version was rejected as FTP Masters still use lintian 
2.4.x - hence re-add older overrides in this version
2011-06-01 - Julien Valroff <julien@debian.org>
unhide (20110113-1) unstable; urgency=low
[ Christophe Monniez ]
* Merging upstream version 20100819 (Closes: #607374)
* Removing isfaked-leaks patch as it seems useless now.
* Fixing watch file (thanks to Guillaume Delacour).
* Removing quilt option in rules.
* Fixing watch file.
[ Julien Valroff ]
* Add myself as uploader
* Imported Upstream version 20110113
* Update project homepage
* Fix VCS fields
* Update to new policy 3.9.2 (no changes needed)
* Use 3.0 (quilt) source package format
* Add rkhunter-propupd trigger call
* Update lintian overrides for newer lintian versions
* Remove unused ${shlibs:Depends} substitution variable
* Use upstream manpages 
* Add README.txt and TODO files to the package 
* Bump debhelper compat to 8 
* Add patch to fix minor formatting warnings in manpages 
* Update copyright information 
2010-03-30 - Michael Prokop <mika@debian.org>
unhide (20100201-1) unstable; urgency=low
[ Christophe Monniez ]
* Merging upstream version 20100201.
* Refactoring isfaked-leaks patch.
* Adding support for pthread at compilation time.
* Updating the debhelper build-depends (should fix a lintian warning).
* Bumping standards-version to 3.8.4.
* Adjusting quilt build depency to make lintian happy.
2009-07-29 - Daniel Baumann <daniel@debian.org>
unhide (20080519-6) unstable; urgency=low
* Setting uploaders to Christophe.
2009-07-28 - Daniel Baumann <daniel@debian.org>
unhide (20080519-5) unstable; urgency=low
* Using correct rfc-2822 date formats in changelog.
* New maintainer (Closes: #531364).
* Updating vcs fields in control.
* Updating package to standards version 3.8.2.
* Reformating package long-description in control.
* Rewriting copyright file in machine-interpretable format.
* Prefixing debhelper files with package name.
* Using quilt rather than dpatch.
* Using dedicated debhelper manpages file.
* Using dedicated debhelper links file.
* Using dedicated debhelper install file.
* Removing useless debhelper dirs file.
* Minimalizing rules file.
* Reformating maintainer scripts.
* Rewrapping README.Debian.
* Removing useless whitespaces in manpages.
* Addinglintian source overrides.
2009-03-18 - Francois Marier <francois@debian.org>
unhide (20080519-4) unstable; urgency=low
* Fix fd leak in isfaked() causing crashes in sched_rr_get_interval()
(closes: #519730). Thanks to Fabien Tassin for the patch!
* Add support for dpatch
* Bump Standards-Version to 3.8.1
* Bump debhelper compatibility to 7
* debian/rules: use dh_prep and dh_lintian
2009-02-18 - Francois Marier <francois@debian.org>
unhide (20080519-3) unstable; urgency=low
* Fix watch file
* Switch packaging to git
* debian/copyright: Mention the word "copyright" (lintian notice)

See Also

Package Description
unhtml_2.3.9-3_i386.deb Remove the markup tags from an HTML file
uni2ascii_4.18-2_i386.deb UTF-8 to 7-bit ASCII and vice versa converter
unicode-data_7.0-2_all.deb Property data for the Unicode character set
unicode-screensaver_0.4-2_i386.deb screensaver displaying unicode characters
unicode_0.9.8_all.deb display unicode character properties
unicon-imc2_3.0.4-14_i386.deb Chinese Input Method Library
uniconf-tools_4.6.1-7_i386.deb Tools to interface with UniConf
uniconfd_4.6.1-7_i386.deb Server that manages UniConf elements
unicorn_4.8.3-1_i386.deb Rack HTTP server for fast clients
unidic-mecab_2.1.2~dfsg-2_all.deb free Japanese Dictionaries for mecab
unifdef_2.10-1_i386.deb Remove cpp '#ifdef' lines from files
unifont-bin_7.0.06-1_i386.deb utilities for manipulating GNU Unifont
unifont_7.0.06-1_all.deb font with a glyph for each visible Unicode Plane 0 character
unionfs-fuse_0.24-2.2_i386.deb Fuse implementation of unionfs
unison-all-gtk_2.40+2_all.deb file synchronization tool (all GTK+ versions)