Security Basics mailing list archives
Re: Hidden Ports
From: <vrsnet () pandora be>
Date: Fri, 6 Feb 2004 15:08:30 +0100
Eduardo Sorensen wrote:Can a port scanner not see a port that is opened? The question is: can a backdoor be on a machine, and with nmap -p 1-, for example, you couldn't see it?Yes, this is quite common these days. Rootkits like SucKIT can monitor all IP sessions on a host, and only open up the backdoor port when a certain trigger arrives via one of the already-open services. For
example,
if an attacker sends a certain string of bytes to the HTTP server on port 80 (even if the string is invalid HTTP). Some tools also look for connections to ports in certain order (eg, the same host contacts port 80, port 22 and then port 443 within a few seconds). Unless the trigger is received, then the backdoor isn't listening, and thus wouldn't show up in a portscan. There may be other more innovative triggers, too. It's a hard problem.
If
you think you might have a backdoor, you shouldn't depend solely on portscanners like nmap to detect it. Anti-virus, tripwire and tools like chkrootkit are also necessary. David -- David J. Bianco
For windows users this could be a usefull tool to detect rootkits http://www.haxorcitos.com/ficheros/RKDetectorv0.61.zip --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Hidden Ports Eduardo Sorensen (Feb 03)
- Re: Hidden Ports Alejandro Flores (Feb 04)
- Re: Hidden Ports Geoff Beier (Feb 04)
- RE: Hidden Ports Dimitri Bertolami (Feb 04)
- RE: Hidden Ports nate (Feb 04)
- Re: Hidden Ports Jamie Pratt (Feb 06)
- Re: Hidden Ports David J. Bianco (Feb 04)
- Re: Hidden Ports Michael Painter (Feb 05)
- Re: Hidden Ports David J. Bianco (Feb 05)
- Re: Hidden Ports Michael Painter (Feb 06)
- Re: Hidden Ports Michael Painter (Feb 05)
- Re: Hidden Ports vrsnet (Feb 06)
- Necessary ports and not necessary ports Benawi (Feb 05)
- Securing Windows Server 2003 [was: Necessary ports and not necessary ports] Joey Peloquin (Feb 05)
- Re: Necessary ports and not necessary ports JGrimshaw (Feb 06)
- Re: Necessary ports and not necessary ports NSC (Feb 06)
- Re: [work] Hidden Ports opticfiber (Feb 05)
- Re: Hidden Ports Vincent (Feb 06)
- <Possible follow-ups>
- Re: Hidden Ports Alessandro (Feb 04)
- Re: Hidden Ports H Carvey (Feb 05)
- Re: Hidden Ports H Carvey (Feb 06)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)