Re: Finding hidden backdoors

[Daniel Cid <danielcid () yahoo com br>]

I dont agree with you.
First of all, using this method (try to bind all
ports) you will discover what ports are open. doesnt
matter if it has a firewall or anything else. I didnt
get your point.
Second, i do this in third-part machines. Not mine :)
And almost all of them run with LKM support.

And LKM can hidde process/ports from clean binaries...

--
Daniel B. Cid

> --- Tim Greer <chatmaster () charter net> escreveu: >
> The backdoor could easily only accept connections
> from non local sources, or
> a specific source.  It's probably easier to just run
> netstat, lsof, etc.
> from a clean. trusted media... or also boot into
> single user mode from a
> trusted kernel image.  In fact, you should always
> have trusted kernel images
> on the server anyway, for purposes of being able to
> boot if the other image
> is corrupted or modified.  As for LKM, I don't
> compile with lkm support in
> my kernels for many reasons (security being one of
> them), but a lot of
> people do, so...
> --
> Regards,
> Tim Greer  chatmaster () charter net
> Server administration, security, programming,
> consulting.
>
>
> ----- Original Message -----
> From: "Daniel B. Cid" <danielcid () yahoo com br>
> To: <security-basics () securityfocus com>
> Sent: Thursday, July 31, 2003 1:18 PM
> Subject: Finding hidden backdoors
>
>
> > I saw some people talking about rootkits that
> hidden process/ports.
> > One think that i always do to see what ports are
> open is to run this
> > perl script:
> >
> >
> > use IO::Socket;
> > for($i=0;$i<=65555;$i++)
> >         {
> >         $server[$i] = IO::Socket::INET->new(
> >         Proto => 'tcp',
> >         LocalPort => $i,
> >         Listen => SOMAXCONN,
> >         Reuse => 1) or print "Port $i Open \n"
> unless $server[$i];
> >         close ($server[$i]);
> >         }
> >
> > This is good because if "netstat" or "lsof" or
> "fuser" or any other
> > program is trojaned , or if it has any firewall
> and nmap is not finding
> > all the open ports, this script will show ... The
> other benefit is that
> > you cant hidden from it using any LKM code...
> > What do you thing ?
> >
> > thanks
> >
> > Daniel B. Cid
--------------------------------------------------------------------------
> -
> >
--------------------------------------------------------------------------
> --
> >
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>  

_______________________________________________________________________
Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso.
Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens!
http://www.cade.com.br

---------------------------------------------------------------------------
----------------------------------------------------------------------------