Security Incidents mailing list archives
Re: backdoor or bot?
From: George Milliken <gmilliken () FARM9 COM>
Date: Thu, 28 Dec 2000 10:17:11 -0800
Try Thresher2 http://www.farm9.com you can get a free demo account if you email farm9 and ask for an 'eval account'. farm9 Thresher has 1000+ tests, they are an open source based security MSP. (yes I am biased, I work there). George -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Mark Symonds Sent: Wednesday, December 27, 2000 11:29 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: backdoor or bot? ----- Original Message ----- From: "Daniel Wittenberg" <daniel-wittenberg () UIOWA EDU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, December 27, 2000 9:46 AM Subject: Re: backdoor or bot?
Are there any good tools out there to scan a network for some of these
known
backdoors/trojans? Preferably something GPL and Linux, but anything known would be nice...
I don't know anything about anything but the following script might be helpful on a per-box basis (perhaps extended via netcat or perl/python/somesuch?) ... I named it 'pn', and it is admittedly written in a pinch: #!/bin/sh # # Simple script that shows you which # users are running processes that LISTEN, # and optionally kills them. # # The OKu file contains a list of usernames, # one per line, that are allowed to run such # processes. Their processes are not affected # by this program. # # A single commandline parameter is accepted: # 'y' will make it automatically kill the offending # processes with no further output. 'pn y'. This # is for crontabbing. table=`netstat -tanp |grep LISTEN |\ awk '{print $7}' |cut -d '/' -f 1 |uniq` processes=`ps uh $table |grep -v -f ./OKu |\ awk '{print $2"\t"$1"\t "$11}'` pids=`ps uh $table |grep -v -f ./OKu |\ awk '{print $2}'` if [ "$1" = "y" ] || [ "$1" = "Y" ] then if [ -n "$processes" ] then kill -9 `echo $pids |tr '\n' ' '`; exit 0; else exit 0; fi fi if [ -n "$processes" ] then echo -e "\nUserland processes that LISTEN:\n"; echo -e "PID\tUSER\t CMD\n$processes"; echo -n "Kill these processes? [y/n]: "; read killproc; if [ "$killproc" = "y" ] || [ "$killproc" = "Y" ] then kill -9 `echo $pids |tr '\n' ' '`; exit 0; else echo "No process killed."; fi else echo "No processes detected." fi exit 0; ... example OKu file: mysql root www-data daemon Does anyone know of an easy way to thwart this? Surely there are many. -- Mark (jr. sysadmin for hire!)
Current thread:
- backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)
- Re: backdoor or bot? Dave Dittrich (Dec 27)
- Re: backdoor or bot? Daniel Wittenberg (Dec 27)
- Re: backdoor or bot? Aviram Jenik (Dec 27)
- Re: backdoor or bot? Mark Symonds (Dec 28)
- Re: backdoor or bot? George Milliken (Dec 28)
- Re: backdoor or bot? Mark Collins (Dec 28)
- <Possible follow-ups>
- Re: backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Patrick Oonk (Dec 28)
- Re: backdoor or bot? Calhoun, Heath (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)