RE: Finding hidden backdoors

["Thomas Ng" <thomas () singcert org sg>]

Hi,
I think it is a pretty good idea to try to listen to the port yourself. Nice
provision to listen to other protocols too.

However, has anyone encountered any backdoor where it runs a sniffer and
only does certain actions when it sees a pre-defined header. Something like
a covert channel but not quite. For example, it could sniff see a header
with syn,fin,ack flags set then look further into the packet for commands
and run that command locally and reply with the result.

That way, no port is opened. You can't portscan yourself to check for
suspicious opened ports. This script that you are running won't do as well. 

How to deal with these?

Thomas Ng

> -----Original Message-----
> From: Daniel B. Cid [mailto:danielcid () yahoo com br]
> Sent: Friday, August 01, 2003 4:19 AM
> To: security-basics () securityfocus com
> Subject: Finding hidden backdoors
>
> I saw some people talking about rootkits that hidden process/ports.
> One think that i always do to see what ports are open is to run this
> perl script:
>
>
> use IO::Socket;
> for($i=0;$i<=65555;$i++)
>         {
>         $server[$i] = IO::Socket::INET->new(
>         Proto => 'tcp',
>         LocalPort => $i,
>         Listen => SOMAXCONN,
>         Reuse => 1) or print "Port $i Open \n" unless $server[$i];
>         close ($server[$i]);
>         }
>
> This is good because if "netstat" or "lsof" or "fuser" or any other
> program is trojaned , or if it has any firewall and nmap is not finding
> all the open ports, this script will show ... The other benefit is that
> you cant hidden from it using any LKM code...
> What do you thing ?
>
> thanks
>
> Daniel B. Cid
>
>
>
>
>
>
> --------------------------------------------------------------------------
> -
> --------------------------------------------------------------------------
> --



---------------------------------------------------------------------------
----------------------------------------------------------------------------