Hi,
unhide reports that there are ports that are not being seeing by ss. i also used lsof and netstat and they don't show up.
[~] % sudo unhide-tcp
Unhide-tcp 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
Used options:
[*]Starting TCP checking
Found Hidden port that not appears in ss: 840
Found Hidden port that not appears in ss: 851
[*]Starting UDP checking
[~] %
i created auditd rules to monitor socket related system calls
% sudo auditctl -l
-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE
the problem is that when i search the log files, i don't see any references to hidden ports 840 or 851. below is one entry where unhide-tcp is trying to bind to port 39781, so i know auditd is logging entries
type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet host:0.0.0.0 serv:39781
type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10 a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND
do any of you have any suggestions?
thanks,
yah
hidden ports as reported by unhide-tcp
Support for security such as Firewalls and securing linux
Return to “CentOS 6 - Security Support”
Jump to
- CentOS General Purpose
- ↳ CentOS - FAQ & Readme First
- ↳ Announcements
- ↳ CentOS Social
- ↳ User Comments
- ↳ Website Problems
- CentOS 8 / 8-Stream / 9-Stream
- ↳ 8 /8-Stream / 9-Stream - General Support
- ↳ 8 /8-Stream / 9-Stream - Hardware Support
- ↳ 8 /8-Stream / 9-Stream - Networking Support
- ↳ 8 /8-Stream / 9-Stream - Security Support
- CentOS 7
- ↳ CentOS 7 - General Support
- ↳ CentOS 7 - Software Support
- ↳ CentOS 7 - Hardware Support
- ↳ CentOS 7 - Networking Support
- ↳ CentOS 7 - Security Support
- CentOS Legacy Versions
- ↳ CentOS 5
- ↳ CentOS 5 - General Support
- ↳ CentOS 5 - Software Support
- ↳ CentOS 5 - Hardware Support
- ↳ CentOS 5 - Networking Support
- ↳ CentOS 5 - Server Support
- ↳ CentOS 5 - Security Support
- ↳ CentOS 5 - Oracle Installation and Support
- ↳ CentOS 5 - Miscellaneous Questions
- ↳ CentOS 6
- ↳ CentOS 6 - General Support
- ↳ CentOS 6 - Software Support
- ↳ CentOS 6 - Hardware Support
- ↳ CentOS 6 - Networking Support
- ↳ CentOS 6 - Security Support