Finding hidden backdoors

From: Daniel B. Cid (danielcid_at_yahoo.com.br)
Date: 07/31/03

  • Next message: Alcides Ricardo Martinez: "RE: Encrypted File Systems"
    To: security-basics@securityfocus.com
    Date: 31 Jul 2003 16:18:46 -0400
    
    

    I saw some people talking about rootkits that hidden process/ports.
    One think that i always do to see what ports are open is to run this
    perl script:

    use IO::Socket;
    for($i=0;$i<=65555;$i++)
            {
            $server[$i] = IO::Socket::INET->new(
            Proto => 'tcp',
            LocalPort => $i,
            Listen => SOMAXCONN,
            Reuse => 1) or print "Port $i Open \n" unless $server[$i];
            close ($server[$i]);
            }

    This is good because if "netstat" or "lsof" or "fuser" or any other
    program is trojaned , or if it has any firewall and nmap is not finding
    all the open ports, this script will show ... The other benefit is that
    you cant hidden from it using any LKM code...
    What do you thing ?

    thanks

    Daniel B. Cid

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Alcides Ricardo Martinez: "RE: Encrypted File Systems"