You are completely right. Its only a peace of code
to try to find the open ports (at that moment).
Its only usefull for one specific situation - when
you have a open port hidden (by lkm or trojanned
binaries)...
You need to do a lot of other checks to have a
complete analyze of the system.
--
Daniel B. Cid
> --- Michael Silk <michaels_at_phg.com.au> escreveu: >
>Well backdoors don't always have to have a port open
> waiting
> for connections, one such different variation could
> be:
> - backdoor runs every X o'clock, connecting to a
> website
> to receive its malicious commands ... hence it
> will
> just look like a simply http browsing session and
> will probably be un-noticed.
>
> A simple port-search wouldn't pick that up :)
>
> -- Michael
>
> -----Original Message-----
> From: Tim Greer [mailto:chatmaster_at_charter.net]
> Sent: Friday, 1 August 2003 8:26 AM
> To: Daniel B. Cid; security-basics_at_securityfocus.com
> Subject: Re: Finding hidden backdoors
>
>
> The backdoor could easily only accept connections
> from non local sources, or
> a specific source. It's probably easier to just run
> netstat, lsof, etc.
> from a clean. trusted media... or also boot into
> single user mode from a
> trusted kernel image. In fact, you should always
> have trusted kernel images
> on the server anyway, for purposes of being able to
> boot if the other image
> is corrupted or modified. As for LKM, I don't
> compile with lkm support in
> my kernels for many reasons (security being one of
> them), but a lot of
> people do, so...
> --
> Regards,
> Tim Greer chatmaster_at_charter.net
> Server administration, security, programming,
> consulting.
>
>
> ----- Original Message -----
> From: "Daniel B. Cid" <danielcid_at_yahoo.com.br>
> To: <security-basics_at_securityfocus.com>
> Sent: Thursday, July 31, 2003 1:18 PM
> Subject: Finding hidden backdoors
>
>
> > I saw some people talking about rootkits that
> hidden process/ports.
> > One think that i always do to see what ports are
> open is to run this
> > perl script:
> >
> >
> > use IO::Socket;
> > for($i=0;$i<=65555;$i++)
> > {
> > $server[$i] = IO::Socket::INET->new(
> > Proto => 'tcp',
> > LocalPort => $i,
> > Listen => SOMAXCONN,
> > Reuse => 1) or print "Port $i Open \n"
> unless $server[$i];
> > close ($server[$i]);
> > }
> >
> > This is good because if "netstat" or "lsof" or
> "fuser" or any other
> > program is trojaned , or if it has any firewall
> and nmap is not finding
> > all the open ports, this script will show ... The
> other benefit is that
> > you cant hidden from it using any LKM code...
> > What do you thing ?
> >
> > thanks
> >
> > Daniel B. Cid
> >
> >
> >
> >
> >
> >
> >
>
--------------------------------------------------------------------------
> -
> >
>
--------------------------------------------------------------------------
> --
> >
>
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
>
>
> CAUTION: This email message and accompanying data
> may contain information that is confidential and/or
> subject to legal privilege. If you are not the
> intended recipient, you are notified that any use,
> dissemination, distribution or copying of this
> message or data is prohibited. If you have received
> this email message in error, please notify us
> immediately and erase all copies of this message and
> attachments. Thank you.
>
> This email is for your convenience only, you should
> not rely on any information contained herein for
> contractual or legal purposes. You should only rely
> on information and/or instructions in writing and on
> company letterhead signed by authorised persons.
>
_______________________________________________________________________
Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso.
Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens!
http://www.cade.com.br
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Received on Aug 01 2003
Intro
