Unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by other techniques. It detects hidden processes using six techniques:

Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.
Unhide-TCP

unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.

How to Use ?

-f    Write a log file (unhide.log) in the current directory.
-h    Display help
-m  Do more checks. As of 2010-11-21 version, this option has only effect for the procfs, procall, checkopendir and checkchdir tests.
-r   Use alternate version of sysinfo check in standard tests
-V  Show version and exit
-v   Be verbose, display warning message (default : don't display). This option may be repeated more than once.

Compiling :
gcc –static unhide.c -o unhide
gcc -Wall -O2 –static unhide-tcp.c -o unhide-tcp
gcc -Wall -O2 –static -pthread unhide-linux26.c -o unhide-linux26
gcc -Wall -O2 -static -o unhide_rb unhide_rb.c

download for linux:

http://sourceforge.net/projects/unhide