RE: Finding hidden backdoors

From: Michael Silk (michaels_at_phg.com.au)
Date: 08/01/03

  • Next message: Thomas Ng: "RE: Finding hidden backdoors" 
    Date: Fri, 1 Aug 2003 10:06:53 +1000
To: "Tim Greer" <chatmaster@charter.net>, "Daniel B. Cid" <danielcid@yahoo.com.br>, <security-basics@securityfocus.com>

    Well backdoors don't always have to have a port open waiting
    for connections, one such different variation could be:
            - backdoor runs every X o'clock, connecting to a website
                    to receive its malicious commands ... hence it will
                    just look like a simply http browsing session and
                    will probably be un-noticed.

            A simple port-search wouldn't pick that up :)

    -- Michael

    -----Original Message-----
    From: Tim Greer [mailto:chatmaster@charter.net]
    Sent: Friday, 1 August 2003 8:26 AM
    To: Daniel B. Cid; security-basics@securityfocus.com
    Subject: Re: Finding hidden backdoors

    The backdoor could easily only accept connections from non local sources, or
    a specific source. It's probably easier to just run netstat, lsof, etc.
    from a clean. trusted media... or also boot into single user mode from a
    trusted kernel image. In fact, you should always have trusted kernel images
    on the server anyway, for purposes of being able to boot if the other image
    is corrupted or modified. As for LKM, I don't compile with lkm support in
    my kernels for many reasons (security being one of them), but a lot of
    people do, so... 

    --
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.
----- Original Message -----
From: "Daniel B. Cid" <danielcid@yahoo.com.br>
To: <security-basics@securityfocus.com>
Sent: Thursday, July 31, 2003 1:18 PM
Subject: Finding hidden backdoors
> I saw some people talking about rootkits that hidden process/ports.
> One think that i always do to see what ports are open is to run this
> perl script:
>
>
> use IO::Socket;
> for($i=0;$i<=65555;$i++)
>         {
>         $server[$i] = IO::Socket::INET->new(
>         Proto => 'tcp',
>         LocalPort => $i,
>         Listen => SOMAXCONN,
>         Reuse => 1) or print "Port $i Open \n" unless $server[$i];
>         close ($server[$i]);
>         }
>
> This is good because if "netstat" or "lsof" or "fuser" or any other
> program is trojaned , or if it has any firewall and nmap is not finding
> all the open ports, this script will show ... The other benefit is that
> you cant hidden from it using any LKM code...
> What do you thing ?
>
> thanks
>
> Daniel B. Cid
>
>
>
>
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you.
This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Thomas Ng: "RE: Finding hidden backdoors"