Re: "closed-port" backdoors

[Andreas Hasenack <andreas () CONECTIVA COM BR>]

Em Thu, Mar 22, 2001 at 10:00:16AM -0500, Valdis.Kletnieks () vt edu escreveu:
> Note that the backdoor would need to have at least one of the following:
>
> 1) A pending listen() on the 3 other ports involved.
>
> 2) A wildcard listen() unbound to a port.
>
> 3) A packet filter/sniffer active on an interface.

4) A raw socket

> Otherwise, it won't see the 3 SYN packets.

It will with a raw socket. portsentry works this way.

lsof and netstat show an open raw socket, and lsof shows the process.
This would require a trojaned lsof/netstat to be hidden.
I was thinking of ways to check for rootkits that use LKM, and remote
port scanning was one, but if this kind of backdoor is in place, then
not even nmap will show something unusual. Either some trick to trigger
some kind of response of an installed LKM or the machine would have to
be rebooted from a clean kernel.

Someone suggested exporting stuff via NFS and run MD5 on it to check for
modified binaries, some LKM might not check that. I don't know.

> If I've overlooked a means to see a packet, feel free to add - I'm not
> fully caffienated yet. ;)

Hehe, just had my cup of coffee... :)