Hi Jaka, This tool won't help us much, because it does the same kind of detection that we do (comparing bind() with the output of netstat and /proc), so at the end both would detect these hidden ports and both wouldn't know if they are rootkits or just bind() without listen().
It doesn't matter really if you have lots of connections, but more on the behavior of the applications. Plus fuser/lsof and all other tools wouldn't detect it either (since they all look at /proc). The only way is through brute-forcing all the ports, which is what ossec and unhide do. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Aug 4, 2009 at 6:49 PM, jack<[email protected]> wrote: > > Daniel, > > After re-reading your post i realized that i misunderstood you at > first ... Anyhow - after ten minutes of googling whether newer linux > kernels address this problem of not seeing just binded ports, i came > upon tool called "unhide" and "unhide-tcp" that detects these ports as > well... Might inclusion of this help ossec to get rid of false > positives in case where ports are just binded but not listened to... ? > > I posted comment and link on http://www.ossec.net/dcid/?p=87 > > cheers, > Jaka >
