This is a very dificult situation. A backdoor that does something similar to that is the rpv21. It tries to connect (every x minutes) to a specified server and when the server responds, it gives to the "cracker" a reverse backdoor... very interesting. But to deal with this problems, you need to run a software like chkrootkit and try to find the backdoor.
I`m writing one in perl that makes a lot of checks in the server to try to find any backdoor or rootkit (more complete than chkrootkit)... maybe it will be usefull in the future. -- Daniel B. Cid > --- Thomas Ng <[EMAIL PROTECTED]> escreveu: > >Hi, > I think it is a pretty good idea to try to listen to > the port yourself. Nice > provision to listen to other protocols too. > > However, has anyone encountered any backdoor where > it runs a sniffer and > only does certain actions when it sees a pre-defined > header. Something like > a covert channel but not quite. For example, it > could sniff see a header > with syn,fin,ack flags set then look further into > the packet for commands > and run that command locally and reply with the > result. > > That way, no port is opened. You can't portscan > yourself to check for > suspicious opened ports. This script that you are > running won't do as well. > > How to deal with these? > > Thomas Ng > > > -----Original Message----- > > From: Daniel B. Cid > [mailto:[EMAIL PROTECTED] > > Sent: Friday, August 01, 2003 4:19 AM > > To: [EMAIL PROTECTED] > > Subject: Finding hidden backdoors > > > > I saw some people talking about rootkits that > hidden process/ports. > > One think that i always do to see what ports are > open is to run this > > perl script: > > > > > > use IO::Socket; > > for($i=0;$i<=65555;$i++) > > { > > $server[$i] = IO::Socket::INET->new( > > Proto => 'tcp', > > LocalPort => $i, > > Listen => SOMAXCONN, > > Reuse => 1) or print "Port $i Open \n" > unless $server[$i]; > > close ($server[$i]); > > } > > > > This is good because if "netstat" or "lsof" or > "fuser" or any other > > program is trojaned , or if it has any firewall > and nmap is not finding > > all the open ports, this script will show ... The > other benefit is that > > you cant hidden from it using any LKM code... > > What do you thing ? > > > > thanks > > > > Daniel B. Cid > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > - > > > -------------------------------------------------------------------------- > > -- > > _______________________________________________________________________ Yahoo! Mail O melhor e-mail gratuito da internet: 6MB de espaço, antivírus, acesso POP3, filtro contra spam. http://br.mail.yahoo.com/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
