Re: Finding hidden backdoors

["Tim Greer" <chatmaster () charter net>]

What don't you agree about?  What makes you think this will connect locally,
or that it's listening at the time you try?  I;m not saying that your method
will not work, but depending, it might not and it's not very fool proof...
not to say it's worthless or anything, though.  I'm well aware what
processes can be hidden and like I said, many people use lkm support.
Anyway, there's just too many variables involved--I said nothing about
firewalls either--but a trojaned service could easily deny any local system
or network accesses.  There's many reasons why this might fail--though I'm
not saying it won't work for a lot of compromised systems.  I just think
there's easier and safer ways to check without bothering to try and connect
to all the possible ports on a system and hoping they are listening at the
time you run it.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.


----- Original Message -----
From: "Daniel Cid" <danielcid () yahoo com br>
To: "Tim Greer" <chatmaster () charter net>;
<security-basics () securityfocus com>
Sent: Thursday, July 31, 2003 11:13 PM
Subject: Re: Finding hidden backdoors


> I dont agree with you.
> First of all, using this method (try to bind all
> ports) you will discover what ports are open. doesnt
> matter if it has a firewall or anything else. I didnt
> get your point.
> Second, i do this in third-part machines. Not mine :)
> And almost all of them run with LKM support.
>
> And LKM can hidde process/ports from clean binaries...
>
> --
> Daniel B. Cid
>
> > --- Tim Greer <chatmaster () charter net> escreveu: >
> > The backdoor could easily only accept connections
> > from non local sources, or
> > a specific source.  It's probably easier to just run
> > netstat, lsof, etc.
> > from a clean. trusted media... or also boot into
> > single user mode from a
> > trusted kernel image.  In fact, you should always
> > have trusted kernel images
> > on the server anyway, for purposes of being able to
> > boot if the other image
> > is corrupted or modified.  As for LKM, I don't
> > compile with lkm support in
> > my kernels for many reasons (security being one of
> > them), but a lot of
> > people do, so...
> > --
> > Regards,
> > Tim Greer  chatmaster () charter net
> > Server administration, security, programming,
> > consulting.
> >
> >
> > ----- Original Message -----
> > From: "Daniel B. Cid" <danielcid () yahoo com br>
> > To: <security-basics () securityfocus com>
> > Sent: Thursday, July 31, 2003 1:18 PM
> > Subject: Finding hidden backdoors
> >
> >
> > > I saw some people talking about rootkits that
> > hidden process/ports.
> > > One think that i always do to see what ports are
> > open is to run this
> > > perl script:
> > >
> > >
> > > use IO::Socket;
> > > for($i=0;$i<=65555;$i++)
> > >         {
> > >         $server[$i] = IO::Socket::INET->new(
> > >         Proto => 'tcp',
> > >         LocalPort => $i,
> > >         Listen => SOMAXCONN,
> > >         Reuse => 1) or print "Port $i Open \n"
> > unless $server[$i];
> > >         close ($server[$i]);
> > >         }
> > >
> > > This is good because if "netstat" or "lsof" or
> > "fuser" or any other
> > > program is trojaned , or if it has any firewall
> > and nmap is not finding
> > > all the open ports, this script will show ... The
> > other benefit is that
> > > you cant hidden from it using any LKM code...
> > > What do you thing ?
> > >
> > > thanks
> > >
> > > Daniel B. Cid
> --------------------------------------------------------------------------
> > -
> > >
> --------------------------------------------------------------------------
> > --
> > >
> --------------------------------------------------------------------------
-
> >
> --------------------------------------------------------------------------
--
> >
>
> _______________________________________________________________________
> Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso.
> Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens!
> http://www.cade.com.br


---------------------------------------------------------------------------
----------------------------------------------------------------------------