hidden ports as reported by unhide-tcp

Support for security such as Firewalls and securing linux
Post Reply
yah
Posts: 6
Joined: 2016/10/27 01:57:41

hidden ports as reported by unhide-tcp

Post by yah » 2017/12/15 22:57:54

Hi,

unhide reports that there are ports that are not being seeing by ss. i also used lsof and netstat and they don't show up.

[~] % sudo unhide-tcp
Unhide-tcp 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
Used options:
[*]Starting TCP checking

Found Hidden port that not appears in ss: 840

Found Hidden port that not appears in ss: 851
[*]Starting UDP checking
[~] %

i created auditd rules to monitor socket related system calls

% sudo auditctl -l
-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE


the problem is that when i search the log files, i don't see any references to hidden ports 840 or 851. below is one entry where unhide-tcp is trying to bind to port 39781, so i know auditd is logging entries

type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet host:0.0.0.0 serv:39781
type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10 a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND


do any of you have any suggestions?

thanks,

yah

Post Reply