Educause Security Discussion mailing list archives
Re: Rootkit discovery tools
From: Jeni Li <jeni.li () ASU EDU>
Date: Wed, 28 Jun 2006 11:56:23 -0700
you know, I have always wondered why the hackers weren't smart enough to put a firewall on their backdoor ports so that they could only be accessed (or detected) from specific addresses owned by the hackers. (I.e. so we couldn't find them in a scan).
Yah, but wouldn't that make them easier to track back to from a compromised machine? Knowing where they're coming from would make it easier to identify other work they have in progress, not to mention the flexibility they'd lose with the limitation... unless maybe they could make an initial ping (of some sort) using a spoofed IP in order to transmit the /real/ IP to allow traffic from. At a Blackhat several years ago, an attendee bent my ear for a while about a back door that required the owner to hit a series of different ports -- sort of like a combination lock -- and only then would it fire up the back door that actually listened for commands. I've never encountered anything like that, but the concept is intriguing. j
Current thread:
- Re: Rootkit discovery tools, (continued)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Graham Toal (Jun 28)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)