Re: Finding hidden backdoors

From: Simon Smith (
Date: 08/04/03

  • Next message: Justin Pryzby: "Links for FAQ"
    Date: Mon, 04 Aug 2003 00:30:53 -0700
    To: "Daniel B. Cid" <>,

             Another thing that you could do is simply to first validate the
    MD5's on the binaries that "might" be affected. If your checksums are off
    them you know you've got an issue. If you do not trust your md5sum binary,
    then download a new one from the web. Sure you can write your own code to
    check for back doors, by why re-invent the wheel when you can just ftp good
    code out? Further more, I think that the basic idea is to not get
    compromised. One thing that we recommend to all of our clients is
    quarterly security audits by a third party. The third party aspect of that
    is critical as people often can't check their own work and find flaws that
    they didn't know about...

    At any rate, thats my two cents.

    At 04:18 PM 7/31/2003 -0400, Daniel B. Cid wrote:
    >I saw some people talking about rootkits that hidden process/ports.
    >One think that i always do to see what ports are open is to run this
    >perl script:
    >use IO::Socket;
    > {
    > $server[$i] = IO::Socket::INET->new(
    > Proto => 'tcp',
    > LocalPort => $i,
    > Listen => SOMAXCONN,
    > Reuse => 1) or print "Port $i Open \n" unless $server[$i];
    > close ($server[$i]);
    > }
    >This is good because if "netstat" or "lsof" or "fuser" or any other
    >program is trojaned , or if it has any firewall and nmap is not finding
    >all the open ports, this script will show ... The other benefit is that
    >you cant hidden from it using any LKM code...
    >What do you thing ?
    >Daniel B. Cid

             Adriel T Desautels
             Secure Network Operations, Inc.
             DID: 978-263-3829 CELL: 978-790-6901
             SECNETOPS "Embracing the future of technology, protecting you."


  • Next message: Justin Pryzby: "Links for FAQ"