Linux systems can be compromised by the installation of hidden processes visible only from the kernel. Unhide is a generic name for a series of related commands designed to detect such processes through a toolkit of over 30 tests, most of which involve examining and comparing various elements of the system. Of all the versions, the one for Linux is by far the most developed. Originally, the Linux version was called unhide‑linux, but in Linux repositories, it is generally named simply unhide [1].
The unhide command works by scanning for inconsistencies within the parts of a Linux operating system that allow users to view what the kernel and related processes are doing. Many system elements compare /proc, the pseudo filesystem that displays information about the running system, and /bin/ps, which contains all processes currently running on the system. Others compare /bin/ps with the system calls between the Linux kernel and /bin/proc, which contains data about processes. Another compares the structure of process IDs (PIDs) with the conventional structure and size of other PIDs. These sources of information operate largely independently of each other, so differences between them may reveal an illegal intrusion. Most of them are not used by ordinary accounts, and even root should generally only view them. Consequently, unhide provides a safe glimpse into these processes that can help admins decide what future steps to take. Unusually for a Linux package, unhide consists of static dependencies, because if hidden processes exist, by definition, they cannot be detected by regular system resources. However, unhide does not take steps to remove intrusions, and any hits in the results should be checked before any response is made.
This story is from the #271/June 2023: Smart Home edition of Linux Magazine.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber ? Sign In
This story is from the #271/June 2023: Smart Home edition of Linux Magazine.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber? Sign In
MADDOG'S DOGHOUSE
The stakeholder approach of open source broadens the pool of who can access, influence, and benefit from information technologies.
MakerSpace
Rust, a potential successor to C/C++, claims to solve some memory safety issues while maintaining high performance. We look at Rust on embedded systems, where memory safety, concurrency, and security are equally important
In Harmony
Using the Go Interface mechanism, Mike demonstrates its practical application with a refresh program for local copies of Git repositories.
Monkey Business
Even small changes in a web page can improve the browsing experience. Your preferred web browser provides all the tools you need to inject JavaScript to adapt the page. You just need a browser with its debugging tools, some knowledge of scripting, and the browser extension Tampermonkey.
Smarter Navigation
Zoxide, a modern version of cd, lets you navigate long directory paths with less typing.
Through the Back Door
Cybercriminals are increasingly discovering Linux and adapting malware previously designed for Windows systems. We take you inside the Linux version of a famous Windows ransomware tool.
Page Pulse
Do you want to be alerted when a product is back in stock on your favorite online store? Do you want to know when a website without an RSS feed gets an update? With changedetection.io, you can stay up-to-date on website changes.
Arco Linux
ArcoLinux, an Arch derivative, offers easier installs while educating users about Arch Linux along the way.
Ghost Coder
Artificial intelligence is increasingly supporting programmers in their daily work. How effective are these tools? What are the dangers? And how can you benefit from Al-assisted development today?
Zack's Kernel News
Chronicler Zack Brown reports on the latest news, views, dilemmas, and developments within the Linux kernel community.
