Security Basics mailing list archives
Re: Finding hidden backdoors
From: Simon Smith <simon () snosoft com>
Date: Mon, 04 Aug 2003 00:30:53 -0700
Daniel,Another thing that you could do is simply to first validate the MD5's on the binaries that "might" be affected. If your checksums are off them you know you've got an issue. If you do not trust your md5sum binary, then download a new one from the web. Sure you can write your own code to check for back doors, by why re-invent the wheel when you can just ftp good code out? Further more, I think that the basic idea is to not get compromised. One thing that we recommend to all of our clients is quarterly security audits by a third party. The third party aspect of that is critical as people often can't check their own work and find flaws that they didn't know about...
At any rate, thats my two cents. At 04:18 PM 7/31/2003 -0400, Daniel B. Cid wrote:
I saw some people talking about rootkits that hidden process/ports.
One think that i always do to see what ports are open is to run this
perl script:
use IO::Socket;
for($i=0;$i<=65555;$i++)
{
$server[$i] = IO::Socket::INET->new(
Proto => 'tcp',
LocalPort => $i,
Listen => SOMAXCONN,
Reuse => 1) or print "Port $i Open \n" unless $server[$i];
close ($server[$i]);
}
This is good because if "netstat" or "lsof" or "fuser" or any other
program is trojaned , or if it has any firewall and nmap is not finding
all the open ports, this script will show ... The other benefit is that
you cant hidden from it using any LKM code...
What do you thing ?
thanks
Daniel B. Cid
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Regards,
Adriel T Desautels
Secure Network Operations, Inc.
http://www.secnetops.com
DID: 978-263-3829 CELL: 978-790-6901
---------------------------------------------------------
SECNETOPS "Embracing the future of technology, protecting you."Attachment:
_bin
Description:
Current thread:
- RE: Finding hidden backdoors Michael Silk (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- <Possible follow-ups>
- RE: Finding hidden backdoors Thomas Ng (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors gminick (Aug 01)
- Re: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors Tim Greer (Aug 01)
- Re: Finding hidden backdoors Matt Simmons (Aug 01)
- Re: Finding hidden backdoors Simon Smith (Aug 04)