Security Incidents mailing list archives
Re: "closed-port" backdoors
From: Andreas Hasenack <andreas () CONECTIVA COM BR>
Date: Thu, 22 Mar 2001 13:09:40 -0300
Em Thu, Mar 22, 2001 at 10:00:16AM -0500, Valdis.Kletnieks () vt edu escreveu:
Note that the backdoor would need to have at least one of the following: 1) A pending listen() on the 3 other ports involved. 2) A wildcard listen() unbound to a port. 3) A packet filter/sniffer active on an interface.
4) A raw socket
Otherwise, it won't see the 3 SYN packets.
It will with a raw socket. portsentry works this way. lsof and netstat show an open raw socket, and lsof shows the process. This would require a trojaned lsof/netstat to be hidden. I was thinking of ways to check for rootkits that use LKM, and remote port scanning was one, but if this kind of backdoor is in place, then not even nmap will show something unusual. Either some trick to trigger some kind of response of an installed LKM or the machine would have to be rebooted from a clean kernel. Someone suggested exporting stuff via NFS and run MD5 on it to check for modified binaries, some LKM might not check that. I don't know.
If I've overlooked a means to see a packet, feel free to add - I'm not fully caffienated yet. ;)
Hehe, just had my cup of coffee... :)
Current thread:
- "closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)