Security Basics mailing list archives
RE: Hidden Ports
From: "Aditya [ Aditya Lalit Deshmukh ]" <aditya.deshmukh () online gateway technolabs net>
Date: Tue, 10 Feb 2004 19:04:07 +0530
this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. there are many firewalls that do this : zone alarm, tiny firewall kerio firewall sygate firewall etc do this basically adds to the system security so it is good to keep it enabled. -aditya
-----Original Message----- From: Michael Painter [mailto:tvhawaii () shaka com] Sent: Sunday, February 08, 2004 9:04 AM To: Dimitri Bertolami; security-basics () securityfocus com Subject: Re: Hidden Ports ----- Original Message ----- From: "Dimitri Bertolami" <Dimitri () staf pi be> To: <security-basics () securityfocus com> Sent: Friday, February 06, 2004 9:50 AM Subject: RE: Hidden Portsguys and galls, I'll explain a bit more about this one ..[snip]quote: (david) ------------------------------------------- Not necessarily. These tools are often part of a rootkit, which would naturally hide itself. In fact, they usually load as part of the OS kernel, and not as a process. -------------------------------------------http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefende r0.21.html(text below taken from the site) Idea ---- Main idea of this program was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Program installs hidden backdoors and register as hidden system service. -- meaning , you really honestly don't see the 500 connections toport 21 onyour hidden FTP Server, because according to your "rewritten" kernel there simply aren't any of theseservices or portsin use, you can consider a rootkit like an Evil MS patch (from hackers) MS patches the correct way, rootkitspatch the wrongway. but a patch is a patch and windows won't recognise the patch as "not" being a part of it's ownarchitecture once it'sinstalled. any questions, feel free to ask.. Cheers, DimitriWhat do you folks think of ZoneAlarmPro? When I look in:Program Control | Components, there are ~1,125 dlls listed. If I right click on kernel32.dll and select More Info, in Overview I get: "ZoneAlarm Pro has recorded KERNEL32.DLL in its list of components in the Program Control section. The component was recorded because either a program using the component requested network access, or a program that already had network access attempted to load the component. Information about the component is recorded whether the user allowed the program access/server rights or denied it. Many programs require network access for normal operation, and use components to perform their network access. These are expected uses and are not a cause for concern. However, viruses and Trojan horse programs can modify or replace components with hacked versions that can be used to carry out attacks. If you suspect a component is not legitimate, you should not allow it access. Because the purpose of component files is often not obvious, you should conduct some research if you have any suspicions about a component's legitimacy. Detailed information about KERNEL32.DLL is available on the Technical Info tab of this article. Depending on the Access setting for a component, ZoneAlarm Pro will either allow a program using that component to access the network or act as a server, or will ask you for permission each time it is used. If you trust KERNEL32.DLL, you can give it an Access setting of Allow, and that will give programs using it access/server rights without needing to ask for permission each time. If you are not sure about KERNEL32.DLL, you can give it a setting of Ask, which will remind you that you need to decide next time it is used. If you know there is a problem with KERNEL32.DLL, you should either delete if from your system or fix the problem." And under Details, they say: "This article presents detailed information on component KERNEL32.DLL. What is a new or changed component? A component is a small program or set of functions (also known as a Dynamic Link Library or DLL) that larger programs call on to perform specific tasks. Some components may be used by several different programs simultaneously. ZoneAlarm Pro considers a component a New Component the first time a program using the component makes an attempt to connect to or receive connections from the Internet or your local network, or the first time a component is loaded by a program that is already connected to the network. ZoneAlarm Pro also considers the component to be a New Component if the component entry within the ZoneAlarm Pro Components List has been removed. ZoneAlarm Pro considers a component a Changed Component if it has been modified since the last time it accessed the Internet or your local network. If you have upgraded a component and the upgrade replaced the component with a new copy, then ZoneAlarm Pro detects the change in the file. Some components are automatically updated by programs, and ZoneAlarm Pro detects any change in the component file itself, no matter how slight." And finally: "ZoneAlarm Pro authenticates your programs and their shared components by recording their MD5 signatures the first time the program requests network or Internet access, then checking those signatures when the program requests access again." Do any other "Firewalls" do anything like this and if so, what do you think of it? Sorry to be so long-winded but didn't know how many had a chance to use ZA. --Michael ------------------------------------------------------------------ --------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ------------------------------------------------------------------ ----------
________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Securing Windows Server 2003 [was: Necessary ports and not necessary ports], (continued)
- Securing Windows Server 2003 [was: Necessary ports and not necessary ports] Joey Peloquin (Feb 05)
- Re: Necessary ports and not necessary ports JGrimshaw (Feb 06)
- Re: Necessary ports and not necessary ports NSC (Feb 06)
- Re: [work] Hidden Ports opticfiber (Feb 05)
- Re: Hidden Ports Vincent (Feb 06)
- Re: Hidden Ports Alessandro (Feb 04)
- Re: Hidden Ports H Carvey (Feb 05)
- Re: Hidden Ports H Carvey (Feb 06)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports Michael Painter (Feb 09)
- RE: Hidden Ports Aditya [ Aditya Lalit Deshmukh ] (Feb 10)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports H Carvey (Feb 06)
- Re: Hidden Ports H Carvey (Feb 09)