Re: Linux Backdoor

From: smg (no@thankyou.com)
Date: 11/30/02


From: "smg" <no@thankyou.com>
Date: Sat, 30 Nov 2002 04:05:09 GMT


"Nicholas Johnson" <njohnson@csh.rit.edu> wrote in message
news:Pine.SOL.4.31.0211290123230.26146-100000@fury.csh.rit.edu...
>
> What should I look for if I think there is a backdoor installed on my box?

Hello

The advice about using "chkrootkit" is good. Try it out and see if it finds
anything on your system. . This will be the easiest approach and will catch
about 95% of all hacked systems, in my experience at least.

>From the outside looking in, you could also try using a port scanner to see
that
what ports are open/accepting connections and then compare them to the known
services you are running. This can be daunting for a newcomer but it tends
to be
an invaluable lesson, well worth the effort to investigate each port to
determine if
there are in fact "backdoors" open on your host. At the same time, you will
learn
lots about services and ports.

NMAP is a great portscanning tool and is relatively easy to use.

www.insecure.org/nmap

Good luck,
smg



Relevant Pages

  • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
    ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
    (comp.os.linux.security)
  • Using SSH without raising questions
    ... I'm looking both for advice and pointers to advice ... My work email was ... default port 22. ... Will it notice that I've got the Bitvise SSH ...
    (comp.security.ssh)
  • Re: xorg 7.2 start problem
    ... port. ... Almost everybody reads UPDATING. ... them responsible because they did not advice you properly in time. ... And that is exactly the same thing with xorg, ipfw, /etc or anything which we ...
    (freebsd-stable)
  • Re: Disney Cruise, Kids, Transportation.....HELP!!!
    ... I see that the Disney buses offer service from our resort to ... the port and from the port to the airport for a low low rate of $70 per ... get a rental car for less than that and have it for the whole time. ...  Any advice? ...
    (rec.arts.disney.parks)
  • Re: chkrootkit infected ports 2881
    ... can re-image it for me which normally costs a fee. ... Chkrootkit is known to fall for quite a few false positive, for example if you run Portsentry or such anti-portscan demon, it also can detect legitimate services like dhcpd or such as sniffers, which isn't really incorrect but not a problem. ... Maybe the only way to know for sure would be scanning all traffic from another system regarding this port to see if anything suspicious can be spotted, and maybe running an integrity check with debsum or such on conf files, comparing the result with a backup from an earlier state or a known sane system. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)