Security Incidents mailing list archives

Re: "closed-port" backdoors

From: Fernando Cardoso <fernando.cardoso () WHATEVERNET COM>
Date: Thu, 22 Mar 2001 09:18:39 -0000

Mixter's Q does the job quite nicely. The daemon can be activated via raw
IP. You don't have to send any SYN packets. The drawback is that it only
works on systems that can handle raw IP, so forget about Solaris and some
flavours of BSD. I've tried it on Linux and it works very well.

Fernando

 --
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Andreas Hasenack
Sent: Wednesday, March 21, 2001 8:04 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: "closed-port" backdoors

Has somebody seen in the wild a type of backdoor where
no ports are open until a specifig set of packets are sent
to the machine?
For example, the backdoor would only bind to port X if
the machine receives SYN packets to three other ports in
sequence. I've seen code to do this (and sorry if it's not
new), but I haven't seen rootkits using it.



_____________________________________________________________________
                      INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------

Current thread:

"closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)