Re: Finding hidden backdoors

[Matt Simmons <matts () wirefire com>]

I think it doesn't work right unless you've got root access ;-) 
"Why are my first 1024 ports open???" "oh yea, duh" 
Nice script :) Thanks! 

Matt Simmons
Network Administrator
Wirefire Internet Services

On Thursday 31 July 2003 04:18 pm, Daniel B. Cid wrote:
> I saw some people talking about rootkits that hidden process/ports.
> One think that i always do to see what ports are open is to run this
> perl script:
>
>
> use IO::Socket;
> for($i=0;$i<=65555;$i++)
>         {
>         $server[$i] = IO::Socket::INET->new(
>         Proto => 'tcp',
>         LocalPort => $i,
>         Listen => SOMAXCONN,
>         Reuse => 1) or print "Port $i Open \n" unless $server[$i];
>         close ($server[$i]);
>         }
>
> This is good because if "netstat" or "lsof" or "fuser" or any other
> program is trojaned , or if it has any firewall and nmap is not finding
> all the open ports, this script will show ... The other benefit is that
> you cant hidden from it using any LKM code...
> What do you thing ?
>
> thanks
>
> Daniel B. Cid
>
>
>
>
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> -


---------------------------------------------------------------------------
----------------------------------------------------------------------------