RE: Finding hidden backdoors

[Daniel Cid <danielcid () yahoo com br>]

You are completely right. Its only a peace of code
to try to find the open ports (at that moment).
Its only usefull for one specific situation - when
you have a open port hidden (by lkm or trojanned
binaries)...
You need to do a lot of other checks to have a 
complete analyze of the system.

--
Daniel B. Cid


> --- Michael Silk <michaels () phg com au> escreveu: >
> Well backdoors don't always have to have a port open
> waiting
> for connections, one such different variation could
> be:
>       - backdoor runs every X o'clock, connecting to a
> website
>               to receive its malicious commands ... hence it
> will
>               just look like a simply http browsing session and
>               will probably be un-noticed.
>
>       A simple port-search wouldn't pick that up :)
>
> -- Michael
>
> -----Original Message-----
> From: Tim Greer [mailto:chatmaster () charter net]
> Sent: Friday, 1 August 2003 8:26 AM
> To: Daniel B. Cid; security-basics () securityfocus com
> Subject: Re: Finding hidden backdoors
>
>
> The backdoor could easily only accept connections
> from non local sources, or
> a specific source.  It's probably easier to just run
> netstat, lsof, etc.
> from a clean. trusted media... or also boot into
> single user mode from a
> trusted kernel image.  In fact, you should always
> have trusted kernel images
> on the server anyway, for purposes of being able to
> boot if the other image
> is corrupted or modified.  As for LKM, I don't
> compile with lkm support in
> my kernels for many reasons (security being one of
> them), but a lot of
> people do, so...
> --
> Regards,
> Tim Greer  chatmaster () charter net
> Server administration, security, programming,
> consulting.
>
>
> ----- Original Message -----
> From: "Daniel B. Cid" <danielcid () yahoo com br>
> To: <security-basics () securityfocus com>
> Sent: Thursday, July 31, 2003 1:18 PM
> Subject: Finding hidden backdoors
>
>
> > I saw some people talking about rootkits that
> hidden process/ports.
> > One think that i always do to see what ports are
> open is to run this
> > perl script:
> >
> >
> > use IO::Socket;
> > for($i=0;$i<=65555;$i++)
> >         {
> >         $server[$i] = IO::Socket::INET->new(
> >         Proto => 'tcp',
> >         LocalPort => $i,
> >         Listen => SOMAXCONN,
> >         Reuse => 1) or print "Port $i Open \n"
> unless $server[$i];
> >         close ($server[$i]);
> >         }
> >
> > This is good because if "netstat" or "lsof" or
> "fuser" or any other
> > program is trojaned , or if it has any firewall
> and nmap is not finding
> > all the open ports, this script will show ... The
> other benefit is that
> > you cant hidden from it using any LKM code...
> > What do you thing ?
> >
> > thanks
> >
> > Daniel B. Cid
--------------------------------------------------------------------------
> -
> >
--------------------------------------------------------------------------
> --
> >
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
> CAUTION: This email message and accompanying data
> may contain information that is confidential and/or
> subject to legal privilege. If you are not the
> intended recipient, you are notified that any use,
> dissemination, distribution or copying of this
> message or data is prohibited. If you have received
> this email message in error, please notify us
> immediately and erase all copies of this message and
> attachments. Thank you.
>
> This email is for your convenience only, you should
> not rely on any information contained herein for
> contractual or legal purposes. You should only rely
> on information and/or instructions in writing and on
> company letterhead signed by authorised persons.
>  

_______________________________________________________________________
Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso.
Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens!
http://www.cade.com.br

---------------------------------------------------------------------------
----------------------------------------------------------------------------