Security Incidents mailing list archives
Re: "closed-port" backdoors
From: Fernando Cardoso <fernando.cardoso () WHATEVERNET COM>
Date: Thu, 22 Mar 2001 09:18:39 -0000
Mixter's Q does the job quite nicely. The daemon can be activated via raw IP. You don't have to send any SYN packets. The drawback is that it only works on systems that can handle raw IP, so forget about Solaris and some flavours of BSD. I've tried it on Linux and it works very well. Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/
-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Andreas Hasenack Sent: Wednesday, March 21, 2001 8:04 PM To: INCIDENTS () SECURITYFOCUS COM Subject: "closed-port" backdoors Has somebody seen in the wild a type of backdoor where no ports are open until a specifig set of packets are sent to the machine? For example, the backdoor would only bind to port X if the machine receives SYN packets to three other ports in sequence. I've seen code to do this (and sorry if it's not new), but I haven't seen rootkits using it.
_____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ---------------------------------------------------------------------
Current thread:
- "closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)