Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: backdoor or bot?

From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Wed, 27 Dec 2000 12:42:59 -0800
On Wed, 27 Dec 2000, Robert van der Meulen wrote:


Quoting Jon Lewis (jlewis () LEWIS ORG):

 Property of PainKeeper !  Use with extreme care...  ...incoming shell...
painkeeper login:
My guess is, this is a backdoor.

My guess is it's an eggdrop bot :)

Try to see if the process that bind()'s to that port also binds to some irc
server - and if there are some bot-ish config files in the directory the
process runs from (or files the process has opened)


This could be a bot, a DDoS "handler", or a remote shell.  You can't
tell by the prompt (and in fact the better ones are not so blatant as
to actually tell you that they are a login front-end, let alone what
it is!)  A guess is only that; a guess.  You need to decide based on
evidence.

The only way to tell for sure is to identify what program is a
combination of things:

o Determine what program is bound to that port with "lsof"

o Get a "tcpdump" of all traffic to/from that system

o Get a copy of the binary and analyze it by tracing ("ltrace",
"strace", "ptrace", "trace", "truss", "gdb"...) or by dissassembly

o If you can get a bit image copy of the hard drive partitions, you're
in even a better stance to analyze it.

For some techniques to use, see:

        http://staff.washington.edu/dittrich/misc/forensics/

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Previous By Date Next
Previous By Thread Next

Current thread: