Security Incidents mailing list archives
Re: "closed-port" backdoors
From: M ixter <mixter () 2XS CO IL>
Date: Wed, 23 Feb 2000 20:35:11 +0100
Fernando Cardoso wrote:
Mixter's Q does the job quite nicely. The daemon can be activated via raw IP. You don't have to send any SYN packets. The drawback is that it only works on systems that can handle raw IP, so forget about Solaris and some flavours of BSD. I've tried it on Linux and it works very well.
If I'm not mistaken, Libnet API works pretty much everywhere, and it wouldn't be a problem porting programs like Q or TFN from plain raw sockets to Libnet API. Q/Q2 is usable, but more POC than application, so I didn't make the effort to port it. If there are problems with Libnet, one could at least use pcap on Solaris or BSD systems for a passive-listening tool. Also, there don't have to be obvious effects of a remote "raw" command, such as opening a local port. The probably simplest application would be a message-decrypting pcap application, that listens to all protocols and just executes anything encrypted with the right key, using system()... Mixter ------------------------------ 2XS Ltd. http://www.2xss.com mixter () 2xs co il http://mixter.warrior2k.com or http://mixter.void.ru ------------------------------
Current thread:
- "closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)