RE: Finding hidden backdoors

[Daniel Cid <danielcid () yahoo com br>]

This is a very dificult situation. A backdoor that
does something similar to that is the rpv21. It tries
to connect (every x minutes) to a specified server and
when the server responds, it gives to the "cracker" a
reverse backdoor... very interesting.
But to deal with this problems, you need to run a
software like chkrootkit and try to find the backdoor.

I`m writing one in perl that makes a lot of checks in
the server to try to find any backdoor or rootkit
(more complete than chkrootkit)... maybe it will be
usefull in the future.

--
Daniel B. Cid

> --- Thomas Ng <thomas () singcert org sg> escreveu: >
> Hi,
> I think it is a pretty good idea to try to listen to
> the port yourself. Nice
> provision to listen to other protocols too.
>
> However, has anyone encountered any backdoor where
> it runs a sniffer and
> only does certain actions when it sees a pre-defined
> header. Something like
> a covert channel but not quite. For example, it
> could sniff see a header
> with syn,fin,ack flags set then look further into
> the packet for commands
> and run that command locally and reply with the
> result.
>
> That way, no port is opened. You can't portscan
> yourself to check for
> suspicious opened ports. This script that you are
> running won't do as well. 
>
> How to deal with these?
>
> Thomas Ng
>
> > -----Original Message-----
> > From: Daniel B. Cid
> [mailto:danielcid () yahoo com br]
> > Sent: Friday, August 01, 2003 4:19 AM
> > To: security-basics () securityfocus com
> > Subject: Finding hidden backdoors
> >
> > I saw some people talking about rootkits that
> hidden process/ports.
> > One think that i always do to see what ports are
> open is to run this
> > perl script:
> >
> >
> > use IO::Socket;
> > for($i=0;$i<=65555;$i++)
> >         {
> >         $server[$i] = IO::Socket::INET->new(
> >         Proto => 'tcp',
> >         LocalPort => $i,
> >         Listen => SOMAXCONN,
> >         Reuse => 1) or print "Port $i Open \n"
> unless $server[$i];
> >         close ($server[$i]);
> >         }
> >
> > This is good because if "netstat" or "lsof" or
> "fuser" or any other
> > program is trojaned , or if it has any firewall
> and nmap is not finding
> > all the open ports, this script will show ... The
> other benefit is that
> > you cant hidden from it using any LKM code...
> > What do you thing ?
> >
> > thanks
> >
> > Daniel B. Cid
--------------------------------------------------------------------------
> > -
--------------------------------------------------------------------------
> > --
>
>  

_______________________________________________________________________
Yahoo! Mail
O melhor e-mail gratuito da internet: 6MB de espaço, antivírus, acesso POP3, filtro contra spam. 
http://br.mail.yahoo.com/

---------------------------------------------------------------------------
----------------------------------------------------------------------------