Security Basics mailing list archives
RE: Finding hidden backdoors
From: "Thomas Ng" <thomas () singcert org sg>
Date: Fri, 1 Aug 2003 09:43:20 +0800
Hi, I think it is a pretty good idea to try to listen to the port yourself. Nice provision to listen to other protocols too. However, has anyone encountered any backdoor where it runs a sniffer and only does certain actions when it sees a pre-defined header. Something like a covert channel but not quite. For example, it could sniff see a header with syn,fin,ack flags set then look further into the packet for commands and run that command locally and reply with the result. That way, no port is opened. You can't portscan yourself to check for suspicious opened ports. This script that you are running won't do as well. How to deal with these? Thomas Ng
-----Original Message----- From: Daniel B. Cid [mailto:danielcid () yahoo com br] Sent: Friday, August 01, 2003 4:19 AM To: security-basics () securityfocus com Subject: Finding hidden backdoors I saw some people talking about rootkits that hidden process/ports. One think that i always do to see what ports are open is to run this perl script: use IO::Socket; for($i=0;$i<=65555;$i++) { $server[$i] = IO::Socket::INET->new( Proto => 'tcp', LocalPort => $i, Listen => SOMAXCONN, Reuse => 1) or print "Port $i Open \n" unless $server[$i]; close ($server[$i]); } This is good because if "netstat" or "lsof" or "fuser" or any other program is trojaned , or if it has any firewall and nmap is not finding all the open ports, this script will show ... The other benefit is that you cant hidden from it using any LKM code... What do you thing ? thanks Daniel B. Cid -------------------------------------------------------------------------- - -------------------------------------------------------------------------- --
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Finding hidden backdoors Michael Silk (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- <Possible follow-ups>
- RE: Finding hidden backdoors Thomas Ng (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors gminick (Aug 01)
- Re: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors Tim Greer (Aug 01)
- Re: Finding hidden backdoors Matt Simmons (Aug 01)
- Re: Finding hidden backdoors Simon Smith (Aug 04)