How to Find Hidden Processes in Linux
Last Updated :
27 Jan, 2025
Hidden or unlisted running processes in Linux can indicate issues like misconfigured applications or potential security threats, including malware or rootkits. Identifying and addressing these hidden processes is crucial for maintaining a secure and efficient system. This guide provides simple and advanced methods to uncover hidden processes using Linux commands and tools.
Why Look for Hidden Processes?
- Troubleshooting Performance Issues: Hidden processes might consume system resources without your knowledge.
- Enhancing Security: Detecting potential malware or unauthorized tasks running on your system.
- System Monitoring: Ensure that all processes align with expected system activity.
Linux itself does not deliberately hide processes. Instead, hidden processes typically arise due to external factors like malware, rootkits, or poorly configured applications. Malicious software may attempt to conceal its presence by modifying process tables, the /proc filesystem, or system calls, making the processes invisible to standard tools like ps or top.
Commands to Find Hidden Processes in Linux
Here are common commands, their options, and how they can help you find hidden processes:
1. ps Command
The ps command lists processes running on the system.For more details refer the article ps Command
ps aux
a: Show processes for all users.u: Display user-oriented format.x: Include processes without a controlling terminal
Example to Find Suspicious Processes
ps -ef | grep <process_name>
Running process used by chrome2. top Command
top provides a real-time view of running processes.For more details refer the articles top commands.
top
Show all the top process used by systemNote: Advanced Usage: Press Shift + H while top is running to show kernel threads.
3. htop Command
htop is a user-friendly alternative to top.For more details refer the articles htop commands.
htop
Show all process using HtopDetect rootkits, hidden processes, and other potential security threats on a system.Note: Navigate through processes and look for any anomalies or unrecognized processes.
4. lsof Command
lsof lists open files and the processes accessing them.For more details refer the article lsof Command.
Syntax:
lsof +D /path_to_directory #This command is used for Check Hidden Files
Process used by this directoryNote: Above command can reveal hidden processes interacting with specific directories.
5. netstat or ss Command
These commands check network connections and the associated processes.For more details refer the articles Netstat command and ss command.
netstat -tulnp # This command check the Check Open Ports and Processes
or
ss -tulnp
t: TCP connections.u: UDP connections.l: Listening ports.n: Show numerical addresses.p: Show process using the ports
List of all connections and ports6. pgrep Command
pgrep searches for processes by name.
pgrep -l <process_name>
-l: Show process names with their IDs
searches all processes used by chrome7. tcpdump Command
Tcpdump captures network traffic to identify suspicious activity.For more details refer the article tcpdump Command in Linux.
tcpdump -i eth0 #Replace eth0 with your network interface.
capture all the traffic in this network interfacesThis tool scans for rootkits and hidden processes. For more details refer the article Chkrootkit Tool.
sudo apt install chkrootkit
sudo chkrootkit
It detect rootkits, hidden processes, and other potential security threats on a system.Unhide works by scanning parts of the Linux system that reveal information about processes, such as /proc, /bin/ps, and system calls, and comparing them to detect inconsistencies. is specifically designed to find hidden processes and ports.
Tests and Techniques: Unhide groups elementary tests into seven standard tests:
- Brute: Runs all detection techniques thoroughly, which can take 5-10 minutes.
- Proc: Compares
/proc with /bin/ps. - Procfs: Compares
/bin/ps with procfs. - Procall: Combines the Proc and Procfs techniques.
- Quick: Combines Proc, Procfs, and Sys tests for faster results but may produce false positives.
- Reverse: Verifies that processes seen by
/bin/ps are also seen in procfs and system calls. - Sys: Compares
/bin/ps with system calls.
sudo apt install unhide
sudo unhide proc
proc: Checks for hidden processes in the /proc filesystem.sys: Scans the system calls for discrepancies.tcp: Identifies hidden TCP/UDP ports.
Check the any hidden processes in the /proc filesystemWe can also use the more arguments with unhide:
Syntax:
unhide [options] #In place of options provide the valid argument
Options:
| Options | Description |
|---|
-d | Reruns tests to verify results for reliability. |
-f | Creates a logfile to document the results of the test. |
-m | Adds verbosity and runs additional unspecified tests. |
-v | Provides detailed output for in-depth analysis. |
Tips to Check for Hidden Processes
1. Look for Zombie Processes: Zombie processes have exited but remain in the process table. Identify them with
ps aux | grep Z
2. Monitor Suspicious CPU or Memory Usage: Use top or htop to check for processes consuming unexpected resources.
3. Verify File System Activity: Use lsof to track hidden processes interacting with specific directories.
4. Analyze Network Activity: Use netstat, ss, or tcpdump to detect unauthorized connections.
1. rkhunter: Detect rootkits and other security vulnerabilities.
sudo apt install rkhunter
sudo rkhunter --check
Check all directories, it contain rootkit or not2. strace: Trace system calls and signals of a process.
strace -p <PID>
Display all process and all system calls in real-time used by this PIDConclusion
Finding hidden or unlisted running processes in Linux is essential for troubleshooting, monitoring, and securing your system.Commands like ps and top and some advanced tools like chkrootkit and unhide to uncover the hidden processess, Linux provides everything you need to uncover hidden processes. Regular monitoring and proactive analysis can keep your system secure and efficient.
What are hidden processes in Linux?
Hidden processes are tasks or programs running in the background but deliberately concealed, often due to malware or rootkits.
How can I detect hidden processes in Linux?
Use tools like ps, top, htop, unhide, or chkrootkit to detect and analyze hidden processes.
What is the difference between unhide and chkrootkit?
unhide specifically detects hidden processes and discrepancies in system elements, while chkrootkit scans for rootkits and broader security vulnerabilities.
Can hidden processes harm my system?
Yes, hidden processes can consume resources, steal sensitive data, or open backdoors for attackers.
What should I do if I find hidden processes?
Investigate further using tools like tcpdump or logs, verify the legitimacy of the processes, and take appropriate security measures such as isolating or removing suspicious processes.
Similar Reads
How to Kill Processes by Given Partial Names in Linux
On a Unix system creates a separate environment for a program when it is executed. Everything the system needs to run the program as if there were no other programs in this environment. In Unix, each command you issue initiates or starts a new process. You initiated a process using the ls command to
4 min read
How to Check Swap Space in Linux
Swap space is like an extra space in your computer's memory. When your computer's main memory (RAM) gets full it uses this extra room (swap space) to store things that aren't being used right now. This extra room is located on your computer's hard drive. Keeping an eye on how much of this extra room
5 min read
How to List Running Processes in Linux | ps Command
As we all know Linux is a multitasking and multi-user system. So, it allows multiple processes to operate simultaneously without interfering with each other. Process is one of the important fundamental concepts of the Linux OS. A process is an executing instance of a program that carries out differe
10 min read
proc file system in Linux
Proc file system (procfs) is a virtual file system created on the fly when the system boots and is dissolved at the time of system shutdown. It contains useful information about the processes that are currently running, it is regarded as a control and information center for the kernel. The proc file
4 min read
How to Kill a Process in Linux | Kill Command
kill command in Linux (located in /bin/kill), is a built-in command which is used to terminate processes manually. kill command sends a signal to a process that terminates the process. If the user doesn't specify any signal that is to be sent along with the kill command, then a default TERM signal i
6 min read
How to Recover a Deleted File in Linux?
We all have often faced a problem where we have accidentally deleted some files in Linux, that we regretted deleting later on after we did not even find it in the trash. But what if we can recover them? Here, we will discuss How we can recover a Deleted File in Linux.Whenever we delete something fro
4 min read
How to Find Out File Types in Linux
In Linux, everything is considered as a file. In UNIX, seven standard file types are regular, directory, symbolic link, FIFO special, block special, character special, and socket. In Linux/UNIX, we have to deal with different file types to manage them efficiently.Categories of Files in Linux/UNIXIn
7 min read
How to Check Disk Space in Linux
Efficient disk space management is important for maintaining the performance and stability of your Linux system. Over time, files and applications can fill up your storage, potentially causing slowdowns or errors. Commands to Check DIsk Space in LinuxKnowing how to check disk space in Linux helps yo
6 min read
how to profile C++ code running in Linux
In Linux, Profiling C++ code is an important process in optimizing and understanding the overall performance metrics of our program. The profiling process consists of the tasks of analyzing the execution time of various functions which we have implemented in our code, this also allows us to identify
6 min read
Processes in Linux/Unix
A program/command when executed, a special instance is provided by the system to the process. This instance consists of all the services/resources that may be utilized by the process under execution. Whenever a command is issued in Unix/Linux, it creates/starts a new process. For example, pwd when i
6 min read