Re: Finding hidden backdoors

From: Daniel Cid (danielcid_at_yahoo.com.br)
Date: 08/01/03

  • Next message: Matt Simmons: "Re: Finding hidden backdoors"
    Date: Fri, 1 Aug 2003 03:13:28 -0300 (ART)
    To: Tim Greer <chatmaster@charter.net>, security-basics@securityfocus.com
    
    

    I dont agree with you.
    First of all, using this method (try to bind all
    ports) you will discover what ports are open. doesnt
    matter if it has a firewall or anything else. I didnt
    get your point.
    Second, i do this in third-part machines. Not mine :)
    And almost all of them run with LKM support.

    And LKM can hidde process/ports from clean binaries...

    --
    Daniel B. Cid
    > --- Tim Greer <chatmaster@charter.net> escreveu: >
    >The backdoor could easily only accept connections
    > from non local sources, or
    > a specific source.  It's probably easier to just run
    > netstat, lsof, etc.
    > from a clean. trusted media... or also boot into
    > single user mode from a
    > trusted kernel image.  In fact, you should always
    > have trusted kernel images
    > on the server anyway, for purposes of being able to
    > boot if the other image
    > is corrupted or modified.  As for LKM, I don't
    > compile with lkm support in
    > my kernels for many reasons (security being one of
    > them), but a lot of
    > people do, so...
    > --
    > Regards,
    > Tim Greer  chatmaster@charter.net
    > Server administration, security, programming,
    > consulting.
    > 
    > 
    > ----- Original Message -----
    > From: "Daniel B. Cid" <danielcid@yahoo.com.br>
    > To: <security-basics@securityfocus.com>
    > Sent: Thursday, July 31, 2003 1:18 PM
    > Subject: Finding hidden backdoors
    > 
    > 
    > > I saw some people talking about rootkits that
    > hidden process/ports.
    > > One think that i always do to see what ports are
    > open is to run this
    > > perl script:
    > >
    > >
    > > use IO::Socket;
    > > for($i=0;$i<=65555;$i++)
    > >         {
    > >         $server[$i] = IO::Socket::INET->new(
    > >         Proto => 'tcp',
    > >         LocalPort => $i,
    > >         Listen => SOMAXCONN,
    > >         Reuse => 1) or print "Port $i Open \n"
    > unless $server[$i];
    > >         close ($server[$i]);
    > >         }
    > >
    > > This is good because if "netstat" or "lsof" or
    > "fuser" or any other
    > > program is trojaned , or if it has any firewall
    > and nmap is not finding
    > > all the open ports, this script will show ... The
    > other benefit is that
    > > you cant hidden from it using any LKM code...
    > > What do you thing ?
    > >
    > > thanks
    > >
    > > Daniel B. Cid
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    >
    --------------------------------------------------------------------------
    > -
    > >
    >
    --------------------------------------------------------------------------
    > --
    > >
    > 
    > 
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >  
    _______________________________________________________________________
    Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso.
    Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens!
    http://www.cade.com.br
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Matt Simmons: "Re: Finding hidden backdoors"