Security Basics mailing list archives
RE: Finding hidden backdoors
From: Daniel Cid <danielcid () yahoo com br>
Date: Fri, 1 Aug 2003 03:18:54 -0300 (ART)
This is a very dificult situation. A backdoor that does something similar to that is the rpv21. It tries to connect (every x minutes) to a specified server and when the server responds, it gives to the "cracker" a reverse backdoor... very interesting. But to deal with this problems, you need to run a software like chkrootkit and try to find the backdoor. I`m writing one in perl that makes a lot of checks in the server to try to find any backdoor or rootkit (more complete than chkrootkit)... maybe it will be usefull in the future. -- Daniel B. Cid
--- Thomas Ng <thomas () singcert org sg> escreveu: > Hi, I think it is a pretty good idea to try to listen to the port yourself. Nice provision to listen to other protocols too. However, has anyone encountered any backdoor where it runs a sniffer and only does certain actions when it sees a pre-defined header. Something like a covert channel but not quite. For example, it could sniff see a header with syn,fin,ack flags set then look further into the packet for commands and run that command locally and reply with the result. That way, no port is opened. You can't portscan yourself to check for suspicious opened ports. This script that you are running won't do as well. How to deal with these? Thomas Ng-----Original Message----- From: Daniel B. Cid[mailto:danielcid () yahoo com br]Sent: Friday, August 01, 2003 4:19 AM To: security-basics () securityfocus com Subject: Finding hidden backdoors I saw some people talking about rootkits thathidden process/ports.One think that i always do to see what ports areopen is to run thisperl script: use IO::Socket; for($i=0;$i<=65555;$i++) { $server[$i] = IO::Socket::INET->new( Proto => 'tcp', LocalPort => $i, Listen => SOMAXCONN, Reuse => 1) or print "Port $i Open \n"unless $server[$i];close ($server[$i]); } This is good because if "netstat" or "lsof" or"fuser" or any otherprogram is trojaned , or if it has any firewalland nmap is not findingall the open ports, this script will show ... Theother benefit is thatyou cant hidden from it using any LKM code... What do you thing ? thanks Daniel B. Cid
--------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
_______________________________________________________________________ Yahoo! Mail O melhor e-mail gratuito da internet: 6MB de espaço, antivírus, acesso POP3, filtro contra spam. http://br.mail.yahoo.com/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Finding hidden backdoors Michael Silk (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- <Possible follow-ups>
- RE: Finding hidden backdoors Thomas Ng (Aug 01)
- RE: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors gminick (Aug 01)
- Re: Finding hidden backdoors Daniel Cid (Aug 01)
- Re: Finding hidden backdoors Tim Greer (Aug 01)
- Re: Finding hidden backdoors Matt Simmons (Aug 01)
- Re: Finding hidden backdoors Simon Smith (Aug 04)