Security Incidents mailing list archives

Re: "closed-port" backdoors

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 22 Mar 2001 10:00:16 -0500

On Wed, 21 Mar 2001 17:03:49 -0300, Andreas Hasenack <andreas () CONECTIVA COM BR>  said:

Has somebody seen in the wild a type of backdoor where
no ports are open until a specifig set of packets are sent
to the machine?
For example, the backdoor would only bind to port X if
the machine receives SYN packets to three other ports in
sequence. I've seen code to do this (and sorry if it's not
new), but I haven't seen rootkits using it.


Note that the backdoor would need to have at least one of the following:

1) A pending listen() on the 3 other ports involved.

2) A wildcard listen() unbound to a port.

3) A packet filter/sniffer active on an interface.

Otherwise, it won't see the 3 SYN packets.

If I've overlooked a means to see a packet, feel free to add - I'm not
fully caffienated yet. ;)

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

"closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)