Re: backdoor or bot?

[Aviram Jenik <aviram () BEYONDSECURITY COM>]

nessus (www.nessus.org) scans for known Trojans, and has a cool feature of
discovering which service is running on the open ports. So if a backdoor is
available at port xxxxx giving immediate shell, nessus will warn you about
the port being a backdoor (so if the attacker tries to trick you and run at
a port that might seem harmless, nessus will still be smart enough to warn
you about the backdoor)

--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com



----- Original Message -----
From: "Daniel Wittenberg" <daniel-wittenberg () UIOWA EDU>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, December 27, 2000 7:46 PM
Subject: Re: backdoor or bot?


> Are there any good tools out there to scan a network for some of these
known
> backdoors/trojans?  Preferably something GPL and Linux, but anything known
> would be nice...
>
> Dan
>
> > From: Jon Lewis <jlewis () LEWIS ORG>
> > Reply-To: jlewis () LEWIS ORG
> > Date: Tue, 26 Dec 2000 22:23:49 -0500
> > To: INCIDENTS () SECURITYFOCUS COM
> > Subject: backdoor or bot?
> >
> > I've noticed this on a few systems recently while scanning people back
> > who've been caught scanning for various services on certain networks I
> > manage.
> >
> > $ telnet 211.118.21.87 22546
> > Trying 211.118.21.87...
> > Connected to 211.118.21.87.
> > Escape character is '^]'.
> >
> > Property of PainKeeper !
> > Use with extreme care...
> > ...incoming shell...
> >
> > painkeeper login:
> >
> > My guess is, this is a backdoor.
> >
> > ----------------------------------------------------------------------
> > Jon Lewis *jlewis () lewis org*|  I route
> > System Administrator        |  therefore you are
> > Atlantic Net                |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________