Educause Security Discussion mailing list archives

Re: Rootkit discovery tools

From: Jeni Li <jeni.li () ASU EDU>
Date: Wed, 28 Jun 2006 11:56:23 -0700

you know, I have always wondered why the hackers weren't smart enough
to put a firewall on their backdoor ports so that they could only
be accessed (or detected) from specific addresses owned by the
hackers. (I.e. so we couldn't find them in a scan).


Yah, but wouldn't that make them easier to track back to from a compromised machine? Knowing where they're coming from 
would make it easier to identify other work they have in progress, not to mention the flexibility they'd lose with the 
limitation... unless maybe they could make an initial ping (of some sort) using a spoofed IP in order to transmit the 
/real/ IP to allow traffic from.

At a Blackhat several years ago, an attendee bent my ear for a while about a back door that required the owner to hit a 
series of different ports -- sort of like a combination lock -- and only then would it fire up the back door that 
actually listened for commands. I've never encountered anything like that, but the concept is intriguing.
j

Current thread:

Re: Rootkit discovery tools, (continued)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Graham Toal (Jun 28)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)