Educause Security Discussion mailing list archives
Re: Rootkit discovery tools
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 28 Jun 2006 14:54:05 -0400
On Wed, 28 Jun 2006 13:36:06 CDT, Graham Toal said:
you know, I have always wondered why the hackers weren't smart enough to put a firewall on their backdoor ports so that they could only be accessed (or detected) from specific addresses owned by the hackers. (I.e. so we couldn't find them in a scan). Then I realised, for all we know, they already are :-(
Google for "port knocking". Fortunately, only the clued ones are doing it now. I've seen a *really* slick iptables-only script that blocks access to the SSH port until packets were received for certain other ports in a specific order... http://www.debian-administration.org/articles/268 There's also lots of recipes for doing it with a daemon program called 'knockd', which is more configurable but requires additional software...
Attachment:
_bin
Description:
Current thread:
- Re: Rootkit discovery tools, (continued)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Graham Toal (Jun 28)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)