diff options
Diffstat (limited to 'system/unhide')
| -rw-r--r-- | system/unhide/README | 6 | ||||
| -rw-r--r-- | system/unhide/doinst.sh | 3 | ||||
| -rw-r--r-- | system/unhide/fix-man.diff | 90 | ||||
| -rw-r--r-- | system/unhide/fixgui.diff | 44 | ||||
| -rw-r--r-- | system/unhide/unhide.SlackBuild | 135 | ||||
| -rw-r--r-- | system/unhide/unhide.desktop | 8 | ||||
| -rw-r--r-- | system/unhide/unhide.info | 10 |
7 files changed, 233 insertions, 63 deletions
diff --git a/system/unhide/README b/system/unhide/README index 96344d2a2b..4bf99df2bb 100644 --- a/system/unhide/README +++ b/system/unhide/README @@ -1,6 +1,6 @@ -Unhide is a forensic tool to find processes and TCP/UCP ports hidden by -rootkits, Linux kernel modules or by other techniques. It includes unhide -and unhide-tcp. +Unhide is a forensic tool to find processes and TCP/UCP ports hidden +by rootkits, Linux kernel modules or by other techniques. It includes +unhide and unhide-tcp. Remember to run unhide as root only. Failing to do so could result in a massive arrival of false positives. diff --git a/system/unhide/doinst.sh b/system/unhide/doinst.sh new file mode 100644 index 0000000000..5fb28930db --- /dev/null +++ b/system/unhide/doinst.sh @@ -0,0 +1,3 @@ +if [ -x /usr/bin/update-desktop-database ]; then + /usr/bin/update-desktop-database -q usr/share/applications >/dev/null 2>&1 +fi diff --git a/system/unhide/fix-man.diff b/system/unhide/fix-man.diff new file mode 100644 index 0000000000..74e2793137 --- /dev/null +++ b/system/unhide/fix-man.diff @@ -0,0 +1,90 @@ +Description: fix formatting error and typos in the manpages +Author: Julien Valroff <julien@debian.org> + Giovani Augusto Ferreira <giovani@riseup.net> + Samuel Henrique <samueloph@debian.org> + Fukui Daichi <a.dog.will.talk@akane.waseda.jp> +Last-Updated: 2022-8-31 +diff --git a/man/fr/unhide.8 b/man/fr/unhide.8 +index 5c06ffa..483c4a2 100644 +--- a/man/fr/unhide.8 ++++ b/man/fr/unhide.8 +@@ -222,7 +222,7 @@ Test standard : + unhide sys proc + .TP + Test le plus complet : +-unhide -m -d sys procall brute reverse ++unhide \-m \-d sys procall brute reverse + .SH "BUGS" + .PP + Rapportez les bugs de \fBunhide\fR sur le bug tracker de GitHub (https://github.com/YJesus/Unhide/issues) +diff --git a/man/unhide-tcp.8 b/man/unhide-tcp.8 +index 46ae799..05be2e5 100644 +--- a/man/unhide-tcp.8 ++++ b/man/unhide-tcp.8 +@@ -18,35 +18,35 @@ given on the command line. + .PP + .SH "OPTIONS" + .TP +-\fB\-h --help\fR ++\fB\-h -\-help\fR + Display help + .TP +-\fB\--brief\fR ++\fB\-\-brief\fR + Don't display warning messages, that's the default behavior. + .TP +-\fB\-f --fuser\fR ++\fB\-f -\-fuser\fR + Display fuser output (if available) for the hidden port + On FreeBSD, instead of fuser command, displays the output of the sockstat command for the hidden port. + .TP +-\fB\-l --lsof\fR ++\fB\-l -\-lsof\fR + Display lsof output (if available) for the hidden port + .TP +-\fB\-n --netstat\fR ++\fB\-n -\-netstat\fR + Use /bin/netstat instead of /sbin/ss. On system with many opened ports, this can + slow down the test dramatically. + .TP +-\fB\-s --server\fR ++\fB\-s -\-server\fR + Use a very quick strategy of scanning. On system with a lot of opened ports, + it is hundreds times faster than ss method and ten thousands times faster than + netstat method. + .TP +-\fB\-o --log\fR ++\fB\-o -\-log\fR + Write a log file (unhide-tcp-AAAA-MM-DD.log) in the current directory. + .TP +-\fB\-V --version\fR ++\fB\-V -\-version\fR + Show version and exit + .TP +-\fB\-v --verbose\fR ++\fB\-v -\-verbose\fR + Be verbose, display warning message (default : don't display). + This option may be repeated more than once. + .PP +diff --git a/man/unhide.8 b/man/unhide.8 +index c4d8c1f..e263de5 100644 +--- a/man/unhide.8 ++++ b/man/unhide.8 +@@ -29,7 +29,7 @@ Display help + Do more checks. As of 2012\-03\-17 version, this option has only + effect for the procfs, procall, checkopendir and checkchdir tests. + .br +-Implies -v ++Implies \-v + .TP + \fB\-r\fR + Use alternate version of sysinfo check in standard tests +@@ -224,7 +224,7 @@ Standard test: + unhide sys proc + .TP + Deeper test: +-unhide -m -d sys procall brute reverse ++unhide \-m \-d sys procall brute reverse + .SH "BUGS" + .PP + Report \fBunhide\fR bugs on the bug tracker on GitHub (https://github.com/YJesus/Unhide/issues) diff --git a/system/unhide/fixgui.diff b/system/unhide/fixgui.diff new file mode 100644 index 0000000000..090eda948e --- /dev/null +++ b/system/unhide/fixgui.diff @@ -0,0 +1,44 @@ +diff -Naur Unhide-20220611/unhideGui.py Unhide-20220611.patched/unhideGui.py +--- Unhide-20220611/unhideGui.py 2022-06-11 05:30:24.000000000 -0400 ++++ Unhide-20220611.patched/unhideGui.py 2023-08-03 17:03:50.945488351 -0400 +@@ -1,4 +1,4 @@ +-#!/bin/python3 ++#!/usr/bin/env python3 + + """ + Copyright © 2020-2022 Patrick Gouin +@@ -19,13 +19,15 @@ + """ + __author__ = "Patrick Gouin" + __copyright__ = "Copyright 2020-2022, Patrick Gouin" +-__credits__ = [daichifukui] ++__credits__ = "daichifukui" + __license__ = "GPL V3" + __version__ = "1.1" + __maintainer__ = "Patrick Gouin" + __email__ = "patrickg.github@free.fr" + __status__ = "Production" + ++import sys ++sys.path.append("/usr/share/unhide") + + from tkinter import * + from tkinter.ttk import * +@@ -187,7 +189,7 @@ + + + def GenCmd() : +- Cmd = './unhide-linux ' ++ Cmd = '/usr/sbin/unhide-linux ' + idx = 0 + for opt in OptionBut : + if opt[VARB].get() == '1' : +@@ -209,7 +211,7 @@ + CmdText.config(width = len(Cmd)) + + def GenTcpCmd() : +- Cmd = './unhide-tcp ' ++ Cmd = '/usr/sbin/unhide-tcp ' + idx = 0 + for opt in TcpOptionBut : + if opt[VARB].get() == '1' : diff --git a/system/unhide/unhide.SlackBuild b/system/unhide/unhide.SlackBuild index e32a39575b..25e1372c6f 100644 --- a/system/unhide/unhide.SlackBuild +++ b/system/unhide/unhide.SlackBuild @@ -1,53 +1,55 @@ -#!/bin/sh +#!/bin/bash -# SlackBuild script for Unhide. +# SlackBuild script for unhide. -# This script is of public domain. It can be distributed, modified and used as desired. -# Based on the PorteusBuild written by the same author at www.porteus.org/forum +# Original author: Rubén Llorente <email removed> +# Updated and maintained by B. Watson <urchlay@slackware.uk> -# Rubén Llorente <porting@use.startmail.com> +# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details. -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO -# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; -# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF -# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# 20230804 bkw: +# - take over maintenance. +# - relicense as WTFPL with permission from Rubén (via mailing list). +# - update for v20220611. +# - add GUI (unhideGui.py), .desktop file, doinst.sh. +# - minor fixes for man pages. +# - symlink man pages, unhide => unhide-linux, to match the binary. +# - add NEWS to doc dir. + +cd $(dirname $0) ; CWD=$(pwd) PRGNAM=unhide -VERSION=${VERSION:-20121229} +SRCNAM=Unhide +VERSION=${VERSION:-20220611} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} +PKGTYPE=${PKGTYPE:-tgz} if [ -z "$ARCH" ]; then case "$( uname -m )" in - i?86) ARCH=i486 ;; + i?86) ARCH=i586 ;; arm*) ARCH=arm ;; *) ARCH=$( uname -m ) ;; esac fi -CWD=$(pwd) +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" + exit 0 +fi + TMP=${TMP:-/tmp/SBo} PKG=$TMP/package-$PRGNAM OUTPUT=${OUTPUT:-/tmp} -if [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" - LIBDIRSUFFIX="" +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" elif [ "$ARCH" = "i686" ]; then SLKCFLAGS="-O2 -march=i686 -mtune=i686" - LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then SLKCFLAGS="-O2 -fPIC" - LIBDIRSUFFIX="64" else SLKCFLAGS="-O2" - LIBDIRSUFFIX="" fi set -e @@ -55,40 +57,63 @@ set -e rm -rf $PKG mkdir -p $TMP $PKG $OUTPUT cd $TMP -rm -rf $PRGNAM-$VERSION -tar xvf $CWD/$PRGNAM-$VERSION.tgz -cd $PRGNAM-$VERSION +rm -rf $SRCNAM-$VERSION +tar xvf $CWD/$SRCNAM-$VERSION.tar.gz +cd $SRCNAM-$VERSION chown -R root:root . -find -L . \ - \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ - -o -perm 511 \) -exec chmod 755 {} \; -o \ - \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ - -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; - -# gcc --static unhide.c -o unhide #### This is an obsolete version. -gcc $SLKCFLAGS -Wall --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux -gcc $SLKCFLAGS -Wall --static unhide_rb.c -o unhide_rb -gcc $SLKCFLAGS -Wall --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp -ln -s unhide-linux unhide - -# We put the binaries and documents in their right places -mkdir -p $PKG/usr/sbin -install -m 0700 unhide-tcp unhide-linux unhide unhide_rb $PKG/usr/sbin - -# Copy man pages -mkdir -p $PKG/usr/man/{,es/,fr/}man8 -cp man/unhide{,-tcp}.8 $PKG/usr/man/man8 -cp man/es/unhide.8 $PKG/usr/man/es/man8 -cp man/fr/unhide.8 $PKG/usr/man/fr/man8 -find $PKG/usr/man -type f -exec gzip -9 {} \; - -mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION -cp COPYING LEEME.txt LISEZ-MOI.TXT README.txt TODO changelog $PKG/usr/doc/$PRGNAM-$VERSION -cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild -cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README +find -L . -perm /111 -a \! -perm 755 -a -exec chmod 755 {} + -o \ + \! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} + + +# Fix the GUI. Patch by SlackBuild maintainer. +patch -p1 < $CWD/fixgui.diff + +# Fix typos and formatting errors in man pages, from Debian: +# https://packages.debian.org/sid/unhide +patch -p1 < $CWD/fix-man.diff + +# No Makefile or anything, commands come from README.txt: +GCC="gcc $SLKCFLAGS -Wall --static" +$GCC -pthread unhide-linux*.c unhide-output.c -o unhide-linux +$GCC unhide_rb.c -o unhide_rb +$GCC unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp + +SBIN=$PKG/usr/sbin +mkdir -p $SBIN +install -s -m 0755 unhide-tcp unhide-linux unhide_rb $SBIN +ln -s unhide-linux $SBIN/unhide + +for i in "" es fr; do + dir=$PKG/usr/man/$i/man8 + mkdir -p $dir + for j in unhide unhide-tcp; do + gzip -9 < man/$i/$j.8 > $dir/$j.8.gz + done + ln -s unhide.8.gz $dir/unhide-linux.8.gz +done + +# 20230803 bkw: the GUI isn't well-documented, but seems to work, at +# least after a bit of patching. +mkdir -p $PKG/usr/bin +install -m0755 unhideGui.py $PKG/usr/bin +PYDIR=$PKG/usr/share/$PRGNAM +mkdir -p $PYDIR +cp -a ToolTip.py $PYDIR + +# 20230804 bkw: wrote a .desktop file for the GUI. Couldn't think of +# an idea for an icon, so I just used the magnifying glass icon +# from WindowMaker. +mkdir -p $PKG/usr/share/applications +cat $CWD/$PRGNAM.desktop > $PKG/usr/share/applications/$PRGNAM.desktop + +PKGDOC=$PKG/usr/doc/$PRGNAM-$VERSION +mkdir -p $PKGDOC +cp COPYING LEEME.txt LISEZ-MOI.TXT README.txt NEWS TODO changelog $PKGDOC +cat $CWD/$PRGNAM.SlackBuild > $PKGDOC/$PRGNAM.SlackBuild +cat $CWD/README > $PKGDOC/README mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh cd $PKG -/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE diff --git a/system/unhide/unhide.desktop b/system/unhide/unhide.desktop new file mode 100644 index 0000000000..6a0bca33ee --- /dev/null +++ b/system/unhide/unhide.desktop @@ -0,0 +1,8 @@ +[Desktop Entry] +Name=UnhideGUI +Comment=Front-end for unhide +Exec=unhideGui.py +Terminal=false +Type=Application +Icon=/usr/share/WindowMaker/Icons/Magnify.xpm +Categories=System;Security; diff --git a/system/unhide/unhide.info b/system/unhide/unhide.info index be8720c5d2..c9c1968c64 100644 --- a/system/unhide/unhide.info +++ b/system/unhide/unhide.info @@ -1,10 +1,10 @@ PRGNAM="unhide" -VERSION="20121229" +VERSION="20220611" HOMEPAGE="http://www.unhide-forensics.info" -DOWNLOAD="http://downloads.sourceforge.net/unhide/unhide-20121229.tgz" -MD5SUM="1ad76312ed0ff7a26b8c501af9bffc67" +DOWNLOAD="https://github.com/YJesus/Unhide/archive/v20220611/Unhide-20220611.tar.gz" +MD5SUM="cb0fc465ef26e907ba2166551dc27369" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="" -MAINTAINER="Rubén Llorente" -EMAIL="porting@use.startmail.com" +MAINTAINER="B. Watson" +EMAIL="urchlay@slackware.uk" |