Unhide is a forensic tool to find hidden processes and TCP/UDP ports by

rootkits / LKMs or by another hidden technique. It consists of two
programs: unhide and unhide-tcp.

unhide detects hidden processes through:
   * Comparison of /proc vs /bin/ps output.
   * Comparison of info gathered from /bin/ps with info gathered from.
   * Syscalls (syscall scanning).
   * Full PIDs space ocupation (PIDs bruteforcing).

unhide-tcp identifies TCP/UDP ports that are listening but not listed in
/bin/netstat by doing brute forcing of all TCP/UDP ports availables.

WWW: http://http://www.security-projects.com/?Unhide/

PR:		ports/132131
Submitted by:	Nikos Ntarmos <ntarmos@cs.uoi.gr>

4 files changed, 70 insertions, 0 deletions

diff --git a/security/unhide/Makefile b/security/unhide/Makefile
new file mode 100644
index 000000000000..d3220959f800
--- /dev/null
+++ b/security/unhide/Makefile
@@ -0,0 +1,30 @@
+# New ports collection makefile for:   unhide
+# Date created:        26 February 2009
+# Whom:                ntarmos@cs.uoi.gr
+#
+# $FreeBSD$
+#
+
+PORTNAME=	unhide
+PORTVERSION=	20080519
+CATEGORIES=	security
+MASTER_SITES=	http://www.security-projects.com/
+DISTNAME=	${PORTNAME}${DISTVERSION}
+EXTRACT_SUFX=	.tgz
+
+MAINTAINER=	ntarmos@cs.uoi.gr
+COMMENT=	A forensic tool to find hidden processes and TCP/UDP ports
+
+WRKSRC=		${WRKDIR}/${PORTNAME}-${DISTVERSION}
+PLIST_FILES=	sbin/unhide sbin/unhide-tcp
+MAN8=		unhide.8 unhide-tcp.8
+MANCOMPRESSED=	yes
+
+.include <bsd.port.pre.mk>
+
+pre-configure:
+	@${REINPLACE_CMD} -e 's/-eLf/-axH/g' -e 's/$$2/$$1/g' ${WRKSRC}/unhide.c
+	@${REINPLACE_CMD} -e 's/-t/-p tcp -/g' -e 's/-u/-p udp -/g' \
+		${WRKSRC}/unhide-tcp.c
+
+.include <bsd.port.post.mk>
diff --git a/security/unhide/distinfo b/security/unhide/distinfo
new file mode 100644
index 000000000000..ba3094d65f36
--- /dev/null
+++ b/security/unhide/distinfo
@@ -0,0 +1,3 @@
+MD5 (unhide20080519.tgz) = 1194ec0f89c6f28e8eb64fb66836f70f
+SHA256 (unhide20080519.tgz) = 631bc2fb09fa05351273021fd32483e5bf4187dcdc15222335fe2ddc5d146ae3
+SIZE (unhide20080519.tgz) = 17104
diff --git a/security/unhide/files/patch-Makefile b/security/unhide/files/patch-Makefile
new file mode 100644
index 000000000000..d68364bd7c3e
--- /dev/null
+++ b/security/unhide/files/patch-Makefile
@@ -0,0 +1,22 @@
+--- /dev/null	2009-02-26 16:27:00.000000000 +0200
++++ Makefile	2009-02-26 16:26:45.000000000 +0200
+@@ -0,0 +1,19 @@
++DESTDIR		:= /usr/local
++MANDIR		:= ${DESTDIR}/man
++INSTALL_PROGRAM	:= /usr/bin/install -s -m 0700
++INSTALL_MAN	:= /usr/bin/install -m 0444
++GZIP_CMD	:= /usr/bin/gzip -9
++MKDIR_CMD	:= /bin/mkdir -p
++
++all:
++	gcc unhide.c -o unhide
++	gcc unhide-tcp.c -o unhide-tcp
++
++install: all
++	${MKDIR_CMD} ${DESTDIR}/sbin ${MANDIR}/man8
++	${INSTALL_PROGRAM} unhide ${DESTDIR}/sbin/unhide
++	${INSTALL_PROGRAM} unhide-tcp ${DESTDIR}/sbin/unhide-tcp
++	${INSTALL_MAN} man/unhide.8 ${MANDIR}/man8 && \
++		${GZIP_CMD} ${MANDIR}/man8/unhide.8
++	${INSTALL_MAN} man/unhide-tcp.8 ${MANDIR}/man8 && \
++		${GZIP_CMD} ${MANDIR}/man8/unhide-tcp.8
diff --git a/security/unhide/pkg-descr b/security/unhide/pkg-descr
new file mode 100644
index 000000000000..30c5845dcce3
--- /dev/null
+++ b/security/unhide/pkg-descr
@@ -0,0 +1,15 @@
+Unhide is a forensic tool to find hidden processes and TCP/UDP ports by
+rootkits / LKMs or by another hidden technique. It consists of two
+programs: unhide and unhide-tcp.
+
+unhide detects hidden processes through:
+   * Comparison of /proc vs /bin/ps output.
+   * Comparison of info gathered from /bin/ps with info gathered from.
+   * Syscalls (syscall scanning).
+   * Full PIDs space ocupation (PIDs bruteforcing).
+
+unhide-tcp identifies TCP/UDP ports that are listening but not listed in
+/bin/netstat by doing brute forcing of all TCP/UDP ports availables.
+
+
+WWW: http://http://www.security-projects.com/?Unhide/