On Tue, Jun 9, 2009 at 1:06 AM, Danny Ching<[email protected]> wrote: > Pardon my ignorance, but I'm intrigued by the cloak and dagger nature > of this issue.
no problem dan as you have two good questions below... > Two questions: > > 1. Would flushing and changing firewall rules to block port 21 stop > the hacker's backdoor? with iris situation... the answer is no... as you can see with her iptables' output: 74 3280 DROP tcp -- eth+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 the rule said that drops all the tcp services trying to initiate a connection (TCP SYN) going to all her ethernet's inbound interface (except for TCP ports 22 and 8080 as you can see that from its prior input rules)... but still nmap shows an open state for TCP port 21 instead of a filtered state... with that.. the hacker already manipulated her packet filtering... > 2. How would you go about finding the service that's opening port 21 > and remove it from the system? there are ways to do that but even if you found and removed it.. still it is not advisable.. for the following reasons that i can think of: 1. the vulnerability is still there and the hacker uses the same hole to compromise your system again 2. the time you spent finding and removing is much greater than a fresh install with an updated packages with bug fixes.. 3. assuming that you found, removed and update the packages.. still other parts of your system were already compromised to trigger its remote access.. one of the rule of the game when it comes to security system.. dont put all your defenses in one layer.. do it in multiple layers (onion skin security principle)... for example.. if the firewall is on another layer (network based firewall)... the hacker cannot easily get thru to TCP port 21 on the compromised system as the network based firewall preventing it.. furthermore... iris is just lucky enough as the one penetrated her system is not a professional hacker as it leaves an open door for detection... if i am the hacker.. i am going to implement the port knocking technique... port knocking technique is where the compromised system's UDP or TCP ports are all closed except to those were already defined as open... the compromised system is waiting from his master's single UDP or TCP packet to arrive for authentication and the command of what particular port to open for his remote access.. there are two phases here.. the authentication phase and the command phase.. the authentication phase is done by checking the appended digital signature of the content of a single packet where it signed the source ip plus the command on what port to open from his master's private key against to the public key installed at the compromised system... if public/private key pair match... then execute the command phase... the private and public key pair should be different for every compromised system... at the command phase.. open the port specified and allows only the source ip indicated in the single packet... the purpose of digital signature here is to protect from other hackers using the remote backdoor as they need the private key to gain access... with that.. the port is open and close after the session... this is more stealthy and hardly to detect by any network scanner... i hope this is just an educational purposes so that you are aware the most sophisticated ones and be prepared for it... fooler. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
