Name: unhide Version: 20130526 Release: 4 Summary: Unhide is a forensic tool to find hidden processes and TCP/UDP ports. Packager: Atomicorp Vendor: Atomicorp http://www.atomicorp.com Group: Applications/System License: GPLv3+ URL: http://www.security-projects.com/?Unhide Source0: http://www.security-projects.com/%{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 BuildRequires: glibc-static %endif %description Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. Unhide detects hidden processes using three techniques: - comparing the output of /proc and /bin/ps - comparing the information gathered from /bin/ps with the one gathered from system calls (syscall scanning) - full scan of the process ID space (PIDs bruteforcing) unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available. %prep %setup -q -n %{name}-%{version} %build gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide gcc -Wall -O2 --static unhide_rb.c -o unhide_rb gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp #%{__cc} %{optflags} --static -lpthread unhide-linux*.c unhide-output.c -o unhide #%{__cc} %{optflags} --static unhide_rb.c -o unhide_rb #%{__cc} %{optflags} --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp %install %{__rm} -rf $RPM_BUILD_ROOT %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}%{_bindir} %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}/ %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}/usr/man/man8/ %{__install} -m700 -p %{name} ${RPM_BUILD_ROOT}%{_bindir}/ #%{__install} -m700 -p %{name}_rb ${RPM_BUILD_ROOT}%{_bindir}/ %{__install} -m700 -p %{name}-tcp ${RPM_BUILD_ROOT}%{_bindir}/ %{__install} -m644 -p README.txt ${RPM_BUILD_ROOT}%{_datadir}/%{name}/ %{__install} -m644 -p LEEME.txt ${RPM_BUILD_ROOT}%{_datadir}/%{name}/ %{__install} -m644 -p man/unhide.8 ${RPM_BUILD_ROOT}/usr/man/man8/unhide.8 %{__install} -m644 -p man/unhide-tcp.8 ${RPM_BUILD_ROOT}/usr/man/man8/unhide-tcp.8 %post if [ ! -h /usr/bin/unhide-linux26 ]; then ln -sf /usr/bin/unhide /usr/bin/unhide-linux26 fi #if [ ! -h /usr/bin/unhide.rb ]; then # ln -sf /usr/bin/unhide_rb /usr/bin/unhide.rb #fi %clean %{__rm} -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %{_bindir}/%{name} %{_bindir}/%{name}-tcp %dir %{_datadir}/%{name} %{_datadir}/* /usr/man/man8/unhide.8* /usr/man/man8/unhide-tcp.8* %changelog * Tue Jun 18 2013 Support - 20130526-4 - Update to 20130526 * Thu Mar 28 2013 Support - 20130428-3 - Update to 20130428 * Mon Nov 19 2012 Support - 20120905-2 - Update to 20120905 - Rebuild packages --static, and add unhide.rb - Add post event to symlink to alternately used names (unhide-linux26, etc) * Fri Feb 18 2011 Support - 20110113-1 - Update to 20110113 * Sun Dec 13 2009 Scott R. Shinn - 20090810-1 - update to 20090810 * Sat Jan 3 2009 Scott R. Shinn - 20080519-1 - update to 20080519 - added man pages * Tue Mar 18 2008 Scott R. Shinn - 02112007 -1 - initial release