System Alert

Linux systems can be compromised by the installation of hidden processes visible only from the kernel. Unhide is a generic name for a series of related commands designed to detect such processes through a toolkit of over 30 tests, most of which involve examining and comparing various elements of the system. Of all the versions, the one for Linux is by far the most developed. Originally, the Linux version was called unhide‑linux, but in Linux repositories, it is generally named simply unhide [1].

The unhide command works by scanning for inconsistencies within the parts of a Linux operating system that allow users to view what the kernel and related processes are doing. Many system elements compare /proc, the pseudo filesystem that displays information about the running system, and /bin/ps, which contains all processes currently running on the system. Others compare /bin/ps with the system calls between the Linux kernel and /bin/proc, which contains data about processes. Another compares the structure of process IDs (PIDs) with the conventional structure and size of other PIDs. These sources of information operate largely independently of each other, so differences between them may reveal an illegal intrusion. Most of them are not used by ordinary accounts, and even root should generally only view them. Consequently, unhide provides a safe glimpse into these processes that can help admins decide what future steps to take. Unusually for a Linux package, unhide consists of static dependencies, because if hidden processes exist, by definition, they cannot be detected by regular system resources. However, unhide does not take steps to remove intrusions, and any hits in the results should be checked before any response is made.