Security Incidents mailing list archives

Re: "closed-port" backdoors

From: Alexander Reelsen <ar () RHWD NET>
Date: Thu, 22 Mar 2001 10:12:38 +0100

Hi

On Wed, Mar 21, 2001 at 05:03:49PM -0300, Andreas Hasenack wrote:

Has somebody seen in the wild a type of backdoor where
no ports are open until a specifig set of packets are sent
to the machine?
For example, the backdoor would only bind to port X if
the machine receives SYN packets to three other ports in
sequence. I've seen code to do this (and sorry if it's not
new), but I haven't seen rootkits using it.

It exists actually and is used in the wild. Take a look at
http://www.phenoelit.de/stuff/cd00rdescr.html
for an example using libpcap.


MfG/Regards, Alexander

--
Alexander Reelsen   http://joker.rhwd.de
ref () linux com       GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
ar () rhwd net         7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:    http://joker.rhwd.de/doc/Securing-Debian-HOWTO

Current thread:

"closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)