Security Incidents mailing list archives
Re: backdoor or bot?
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Wed, 27 Dec 2000 12:42:59 -0800
On Wed, 27 Dec 2000, Robert van der Meulen wrote:
Quoting Jon Lewis (jlewis () LEWIS ORG):Property of PainKeeper ! Use with extreme care... ...incoming shell... painkeeper login: My guess is, this is a backdoor.My guess is it's an eggdrop bot :) Try to see if the process that bind()'s to that port also binds to some irc server - and if there are some bot-ish config files in the directory the process runs from (or files the process has opened)
This could be a bot, a DDoS "handler", or a remote shell. You can't tell by the prompt (and in fact the better ones are not so blatant as to actually tell you that they are a login front-end, let alone what it is!) A guess is only that; a guess. You need to decide based on evidence. The only way to tell for sure is to identify what program is a combination of things: o Determine what program is bound to that port with "lsof" o Get a "tcpdump" of all traffic to/from that system o Get a copy of the binary and analyze it by tracing ("ltrace", "strace", "ptrace", "trace", "truss", "gdb"...) or by dissassembly o If you can get a bit image copy of the hard drive partitions, you're in even a better stance to analyze it. For some techniques to use, see: http://staff.washington.edu/dittrich/misc/forensics/ -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)
- Re: backdoor or bot? Dave Dittrich (Dec 27)
- Re: backdoor or bot? Daniel Wittenberg (Dec 27)
- Re: backdoor or bot? Aviram Jenik (Dec 27)
- Re: backdoor or bot? Mark Symonds (Dec 28)
- Re: backdoor or bot? George Milliken (Dec 28)
- Re: backdoor or bot? Mark Collins (Dec 28)
- <Possible follow-ups>
- Re: backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Patrick Oonk (Dec 28)
- Re: backdoor or bot? Calhoun, Heath (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)