Open In App

How to Find Hidden Processes in Linux

Last Updated : 27 Jan, 2025
Summarize
Comments
Improve
Suggest changes
Share
Like Article
Like
Report

Hidden or unlisted running processes in Linux can indicate issues like misconfigured applications or potential security threats, including malware or rootkits. Identifying and addressing these hidden processes is crucial for maintaining a secure and efficient system. This guide provides simple and advanced methods to uncover hidden processes using Linux commands and tools.

Why Look for Hidden Processes?

  1. Troubleshooting Performance Issues: Hidden processes might consume system resources without your knowledge.
  2. Enhancing Security: Detecting potential malware or unauthorized tasks running on your system.
  3. System Monitoring: Ensure that all processes align with expected system activity.

Linux itself does not deliberately hide processes. Instead, hidden processes typically arise due to external factors like malware, rootkits, or poorly configured applications. Malicious software may attempt to conceal its presence by modifying process tables, the /proc filesystem, or system calls, making the processes invisible to standard tools like ps or top.

Commands to Find Hidden Processes in Linux

Here are common commands, their options, and how they can help you find hidden processes:

1. ps Command

The ps command lists processes running on the system.For more details refer the article ps Command

ps aux
  • a: Show processes for all users.
  • u: Display user-oriented format.
  • x: Include processes without a controlling terminal

Example to Find Suspicious Processes

ps -ef | grep <process_name>
hidden-ps
Running process used by chrome

2. top Command

top provides a real-time view of running processes.For more details refer the articles top commands.

top
top-commands
Show all the top process used by system

Note: Advanced Usage: Press Shift + H while top is running to show kernel threads.

3. htop Command

htop is a user-friendly alternative to top.For more details refer the articles htop commands.

htop
htop
Show all process using Htop

Detect rootkits, hidden processes, and other potential security threats on a system.Note: Navigate through processes and look for any anomalies or unrecognized processes.

4. lsof Command

lsof lists open files and the processes accessing them.For more details refer the article lsof Command.

Syntax:

lsof +D /path_to_directory                   #This command is used for Check Hidden Files
lsof
Process used by this directory

Note: Above command can reveal hidden processes interacting with specific directories.

5. netstat or ss Command

These commands check network connections and the associated processes.For more details refer the articles Netstat command and ss command.

netstat -tulnp                                          # This command check the Check Open Ports and Processes
or 
ss -tulnp
  • t: TCP connections.
  • u: UDP connections.
  • l: Listening ports.
  • n: Show numerical addresses.
  • p: Show process using the ports
netstat
List of all connections and ports

6. pgrep Command

pgrep searches for processes by name.

pgrep -l <process_name>
  • -l: Show process names with their IDs
pgrep
searches all processes used by chrome

7. tcpdump Command

Tcpdump captures network traffic to identify suspicious activity.For more details refer the article tcpdump Command in Linux.

tcpdump -i eth0                                    #Replace eth0 with your network interface.
tcpdump
capture all the traffic in this network interfaces

8. chkrootkit Tool

This tool scans for rootkits and hidden processes. For more details refer the article Chkrootkit Tool.

sudo apt install chkrootkit
sudo chkrootkit
chkrootkit
It detect rootkits, hidden processes, and other potential security threats on a system.

9. Unhide Tool

Unhide works by scanning parts of the Linux system that reveal information about processes, such as /proc, /bin/ps, and system calls, and comparing them to detect inconsistencies. is specifically designed to find hidden processes and ports.

Tests and Techniques: Unhide groups elementary tests into seven standard tests:

  • Brute: Runs all detection techniques thoroughly, which can take 5-10 minutes.
  • Proc: Compares /proc with /bin/ps.
  • Procfs: Compares /bin/ps with procfs.
  • Procall: Combines the Proc and Procfs techniques.
  • Quick: Combines Proc, Procfs, and Sys tests for faster results but may produce false positives.
  • Reverse: Verifies that processes seen by /bin/ps are also seen in procfs and system calls.
  • Sys: Compares /bin/ps with system calls.
sudo apt install unhide
sudo unhide proc
  • proc: Checks for hidden processes in the /proc filesystem.
  • sys: Scans the system calls for discrepancies.
  • tcp: Identifies hidden TCP/UDP ports.
unhide
Check the any hidden processes in the /proc filesystem

We can also use the more arguments with unhide:

Syntax:

unhide [options]                             #In place of options provide the valid argument

Options:

OptionsDescription
-dReruns tests to verify results for reliability.
-fCreates a logfile to document the results of the test.
-mAdds verbosity and runs additional unspecified tests.
-vProvides detailed output for in-depth analysis.

Tips to Check for Hidden Processes

1. Look for Zombie Processes: Zombie processes have exited but remain in the process table. Identify them with

ps aux | grep Z

2. Monitor Suspicious CPU or Memory Usage: Use top or htop to check for processes consuming unexpected resources.

3. Verify File System Activity: Use lsof to track hidden processes interacting with specific directories.

4. Analyze Network Activity: Use netstat, ss, or tcpdump to detect unauthorized connections.

Advanced Tools for Finding Hidden Processes

1. rkhunter: Detect rootkits and other security vulnerabilities.

sudo apt install rkhunter
sudo rkhunter --check


rkhunter
Check all directories, it contain rootkit or not

2. strace: Trace system calls and signals of a process.

strace -p <PID>
strace
Display all process and all system calls in real-time used by this PID

Conclusion

Finding hidden or unlisted running processes in Linux is essential for troubleshooting, monitoring, and securing your system.Commands like ps and top and some advanced tools like chkrootkit and unhide to uncover the hidden processess, Linux provides everything you need to uncover hidden processes. Regular monitoring and proactive analysis can keep your system secure and efficient.

What are hidden processes in Linux?

Hidden processes are tasks or programs running in the background but deliberately concealed, often due to malware or rootkits.

How can I detect hidden processes in Linux?

Use tools like ps, top, htop, unhide, or chkrootkit to detect and analyze hidden processes.

What is the difference between unhide and chkrootkit?

unhide specifically detects hidden processes and discrepancies in system elements, while chkrootkit scans for rootkits and broader security vulnerabilities.

Can hidden processes harm my system?

Yes, hidden processes can consume resources, steal sensitive data, or open backdoors for attackers.

What should I do if I find hidden processes?

Investigate further using tools like tcpdump or logs, verify the legitimacy of the processes, and take appropriate security measures such as isolating or removing suspicious processes.


Next Article
How to Find Hidden Processes in Linux

S
shudhanshu5j5r
Improve
Article Tags :

Similar Reads

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox