Security Basics mailing list archives
Re: Finding hidden backdoors
From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 31 Jul 2003 15:25:50 -0700
The backdoor could easily only accept connections from non local sources, or a specific source. It's probably easier to just run netstat, lsof, etc. from a clean. trusted media... or also boot into single user mode from a trusted kernel image. In fact, you should always have trusted kernel images on the server anyway, for purposes of being able to boot if the other image is corrupted or modified. As for LKM, I don't compile with lkm support in my kernels for many reasons (security being one of them), but a lot of people do, so... -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: "Daniel B. Cid" <danielcid () yahoo com br> To: <security-basics () securityfocus com> Sent: Thursday, July 31, 2003 1:18 PM Subject: Finding hidden backdoors
I saw some people talking about rootkits that hidden process/ports. One think that i always do to see what ports are open is to run this perl script: use IO::Socket; for($i=0;$i<=65555;$i++) { $server[$i] = IO::Socket::INET->new( Proto => 'tcp', LocalPort => $i, Listen => SOMAXCONN, Reuse => 1) or print "Port $i Open \n" unless $server[$i]; close ($server[$i]); } This is good because if "netstat" or "lsof" or "fuser" or any other program is trojaned , or if it has any firewall and nmap is not finding all the open ports, this script will show ... The other benefit is that you cant hidden from it using any LKM code... What do you thing ? thanks Daniel B. Cid --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Finding hidden backdoors Daniel B. Cid (Jul 31)
- Re: Finding hidden backdoors Tim Greer (Jul 31)