I dont agree with you.
First of all, using this method (try to bind all
ports) you will discover what ports are open. doesnt
matter if it has a firewall or anything else. I didnt
get your point.
Second, i do this in third-part machines. Not mine :)
And almost all of them run with LKM support.
And LKM can hidde process/ports from clean binaries...
--
Daniel B. Cid
> --- Tim Greer <[EMAIL PROTECTED]> escreveu: >
>The backdoor could easily only accept connections
> from non local sources, or
> a specific source. It's probably easier to just run
> netstat, lsof, etc.
> from a clean. trusted media... or also boot into
> single user mode from a
> trusted kernel image. In fact, you should always
> have trusted kernel images
> on the server anyway, for purposes of being able to
> boot if the other image
> is corrupted or modified. As for LKM, I don't
> compile with lkm support in
> my kernels for many reasons (security being one of
> them), but a lot of
> people do, so...
> --
> Regards,
> Tim Greer [EMAIL PROTECTED]
> Server administration, security, programming,
> consulting.
>
>
> ----- Original Message -----
> From: "Daniel B. Cid" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 31, 2003 1:18 PM
> Subject: Finding hidden backdoors
>
>
> > I saw some people talking about rootkits that
> hidden process/ports.
> > One think that i always do to see what ports are
> open is to run this
> > perl script:
> >
> >
> > use IO::Socket;
> > for($i=0;$i<=65555;$i++)
> > {
> > $server[$i] = IO::Socket::INET->new(
> > Proto => 'tcp',
> > LocalPort => $i,
> > Listen => SOMAXCONN,
> > Reuse => 1) or print "Port $i Open \n"
> unless $server[$i];
> > close ($server[$i]);
> > }
> >
> > This is good because if "netstat" or "lsof" or
> "fuser" or any other
> > program is trojaned , or if it has any firewall
> and nmap is not finding
> > all the open ports, this script will show ... The
> other benefit is that
> > you cant hidden from it using any LKM code...
> > What do you thing ?
> >
> > thanks
> >
> > Daniel B. Cid
> >
> >
> >
> >
> >
> >
> >
>
--------------------------------------------------------------------------
> -
> >
>
--------------------------------------------------------------------------
> --
> >
>
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
_______________________________________________________________________
Conhe�a o novo Cad�? - Mais r�pido, mais f�cil e mais preciso.
Toda a web, 42 milh�es de p�ginas brasileiras e nova busca por imagens!
http://www.cade.com.br
---------------------------------------------------------------------------
----------------------------------------------------------------------------
