Security Basics mailing list archives
Re: Finding hidden backdoors
From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 31 Jul 2003 23:25:06 -0700
What don't you agree about? What makes you think this will connect locally, or that it's listening at the time you try? I;m not saying that your method will not work, but depending, it might not and it's not very fool proof... not to say it's worthless or anything, though. I'm well aware what processes can be hidden and like I said, many people use lkm support. Anyway, there's just too many variables involved--I said nothing about firewalls either--but a trojaned service could easily deny any local system or network accesses. There's many reasons why this might fail--though I'm not saying it won't work for a lot of compromised systems. I just think there's easier and safer ways to check without bothering to try and connect to all the possible ports on a system and hoping they are listening at the time you run it. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: "Daniel Cid" <danielcid () yahoo com br> To: "Tim Greer" <chatmaster () charter net>; <security-basics () securityfocus com> Sent: Thursday, July 31, 2003 11:13 PM Subject: Re: Finding hidden backdoors
I dont agree with you. First of all, using this method (try to bind all ports) you will discover what ports are open. doesnt matter if it has a firewall or anything else. I didnt get your point. Second, i do this in third-part machines. Not mine :) And almost all of them run with LKM support. And LKM can hidde process/ports from clean binaries... -- Daniel B. Cid--- Tim Greer <chatmaster () charter net> escreveu: > The backdoor could easily only accept connections from non local sources, or a specific source. It's probably easier to just run netstat, lsof, etc. from a clean. trusted media... or also boot into single user mode from a trusted kernel image. In fact, you should always have trusted kernel images on the server anyway, for purposes of being able to boot if the other image is corrupted or modified. As for LKM, I don't compile with lkm support in my kernels for many reasons (security being one of them), but a lot of people do, so... -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: "Daniel B. Cid" <danielcid () yahoo com br> To: <security-basics () securityfocus com> Sent: Thursday, July 31, 2003 1:18 PM Subject: Finding hidden backdoorsI saw some people talking about rootkits thathidden process/ports.One think that i always do to see what ports areopen is to run thisperl script: use IO::Socket; for($i=0;$i<=65555;$i++) { $server[$i] = IO::Socket::INET->new( Proto => 'tcp', LocalPort => $i, Listen => SOMAXCONN, Reuse => 1) or print "Port $i Open \n"unless $server[$i];close ($server[$i]); } This is good because if "netstat" or "lsof" or"fuser" or any otherprogram is trojaned , or if it has any firewalland nmap is not findingall the open ports, this script will show ... Theother benefit is thatyou cant hidden from it using any LKM code... What do you thing ? thanks Daniel B. Cid---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
_______________________________________________________________________ Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso. Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens! http://www.cade.com.br
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Finding hidden backdoors Michael Silk (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- <Possible follow-ups>
- RE: Finding hidden backdoors Thomas Ng (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors gminick (Aug 01)
- Re: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors Tim Greer (Aug 01)
- Re: Finding hidden backdoors Matt Simmons (Aug 01)
- Re: Finding hidden backdoors Simon Smith (Aug 04)