Description of problem: A missing newline at the end of the ss command output is causing false positives for hidden ports in unhide-tcp. Version-Release number of selected component (if applicable): iproute-5.4.0-1.fc31.x86_64 unhide-20130526-13.fc31.x86_64 How reproducible: Always Steps to Reproduce: 1. Make a connection to another host, e.g. ssh 2. Run unhide-tcp 3. Actual results: Port is reported as hidden Expected results: No hidden port reported Additional info: This appears to be because ss is not including a newline character at the end of its output, but is instead extending the last line using spaces to pad to the terminal width and push the prompt onto the next line. This is confusing unhide-tcp which is expecting to see a port number followed by a newline. However the newline is missing, causing unhide-tcp not to recognise that ss could see the port, and thus reporting it as hidden. Example ss output with terminal prompts: ------------------------------------------------------ [user@myhost ~]$ ss -tan sport = :39322 State Recv-Q Send-Q Local Address:Port Peer Address:Port Process TIME-WAIT 0 0 192.168.105.10:39322 192.168.105.36:2222 [user@myhost ~]$ ------------------------------------------------------ It can be seen that the shell prompt appears after the 80th character on the last line and not on the next line. It becomes more apparent when you pipe the output of ss through cat, e.g. ss -tan sport = :39322|cat.
Hi, What is unhide-tcp? Please keep in mind that ss output is meant for humans, not necessary scripts. Maybe you could use '--diag' option and parse the binary data instead? Anyway, looks like we're missing the following commit: commit 9eee92a41ae630b2c9e92ae2875ca56801c96b73 Author: Brian Vazquez <brianvv> Date: Wed Dec 4 13:32:28 2019 -0800 ss: fix end-of-line printing in misc/ss.c The previous change to ss to show header broke the printing of end-of-line for the last entry. Tested: diff <(./ss.old -nltp) <(misc/ss -nltp) 38c38 < LISTEN 0 128 [::1]:35417 [::]:* users:(("foo",pid=65254,fd=116)) \ No newline at end of file Signed-off-by: Stephen Hemminger <stephen> (Yes, Fixes: tags are for the weak and so are SoBs or maintainers insisting on both.)
unhide-tcp is part of the unhide package and tries to detect hidden TCP and UDP ports, i.e. ports that are open on your system, but that don't show up in tools like ss or netstat. It's used by rkhunter as part of its root kit detection.
FEDORA-2020-8f69c7534c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f69c7534c
FEDORA-2020-8f69c7534c has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f69c7534c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f69c7534c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Before update, using iproute-5.4.0-1.fc31.x86_64: > # unhide-tcp > Unhide-tcp 20130526 > Copyright © 2013 Yago Jesus & Patrick Gouin > License GPLv3+ : GNU GPL version 3 or later > http://www.unhide-forensics.info > Used options: > [*]Starting TCP checking > > Found Hidden port that not appears in ss: 34071 > > Found Hidden port that not appears in ss: 38683 > > Found Hidden port that not appears in ss: 39367 > > Found Hidden port that not appears in ss: 40058 > > Found Hidden port that not appears in ss: 48855 > > Found Hidden port that not appears in ss: 49099 > > Found Hidden port that not appears in ss: 51248 > > Found Hidden port that not appears in ss: 51440 > > Found Hidden port that not appears in ss: 52641 > > Found Hidden port that not appears in ss: 53155 > > Found Hidden port that not appears in ss: 54655 > > Found Hidden port that not appears in ss: 56080 > > Found Hidden port that not appears in ss: 56082 > [*]Starting UDP checking ...and after the update to iproute-5.4.0-2.fc31.x86_64: > # unhide-tcp > Unhide-tcp 20130526 > Copyright © 2013 Yago Jesus & Patrick Gouin > License GPLv3+ : GNU GPL version 3 or later > http://www.unhide-forensics.info > Used options: > [*]Starting TCP checking > [*]Starting UDP checking So that now appears to be working as expected, thank you.
FEDORA-2020-8f69c7534c has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.