You are completely right. Its only a peace of code to try to find the open ports (at that moment). Its only usefull for one specific situation - when you have a open port hidden (by lkm or trojanned binaries)... You need to do a lot of other checks to have a complete analyze of the system.
-- Daniel B. Cid > --- Michael Silk <[EMAIL PROTECTED]> escreveu: > >Well backdoors don't always have to have a port open > waiting > for connections, one such different variation could > be: > - backdoor runs every X o'clock, connecting to a > website > to receive its malicious commands ... hence it > will > just look like a simply http browsing session and > will probably be un-noticed. > > A simple port-search wouldn't pick that up :) > > -- Michael > > -----Original Message----- > From: Tim Greer [mailto:[EMAIL PROTECTED] > Sent: Friday, 1 August 2003 8:26 AM > To: Daniel B. Cid; [EMAIL PROTECTED] > Subject: Re: Finding hidden backdoors > > > The backdoor could easily only accept connections > from non local sources, or > a specific source. It's probably easier to just run > netstat, lsof, etc. > from a clean. trusted media... or also boot into > single user mode from a > trusted kernel image. In fact, you should always > have trusted kernel images > on the server anyway, for purposes of being able to > boot if the other image > is corrupted or modified. As for LKM, I don't > compile with lkm support in > my kernels for many reasons (security being one of > them), but a lot of > people do, so... > -- > Regards, > Tim Greer [EMAIL PROTECTED] > Server administration, security, programming, > consulting. > > > ----- Original Message ----- > From: "Daniel B. Cid" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, July 31, 2003 1:18 PM > Subject: Finding hidden backdoors > > > > I saw some people talking about rootkits that > hidden process/ports. > > One think that i always do to see what ports are > open is to run this > > perl script: > > > > > > use IO::Socket; > > for($i=0;$i<=65555;$i++) > > { > > $server[$i] = IO::Socket::INET->new( > > Proto => 'tcp', > > LocalPort => $i, > > Listen => SOMAXCONN, > > Reuse => 1) or print "Port $i Open \n" > unless $server[$i]; > > close ($server[$i]); > > } > > > > This is good because if "netstat" or "lsof" or > "fuser" or any other > > program is trojaned , or if it has any firewall > and nmap is not finding > > all the open ports, this script will show ... The > other benefit is that > > you cant hidden from it using any LKM code... > > What do you thing ? > > > > thanks > > > > Daniel B. Cid > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > - > > > -------------------------------------------------------------------------- > -- > > > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > > > > CAUTION: This email message and accompanying data > may contain information that is confidential and/or > subject to legal privilege. If you are not the > intended recipient, you are notified that any use, > dissemination, distribution or copying of this > message or data is prohibited. If you have received > this email message in error, please notify us > immediately and erase all copies of this message and > attachments. Thank you. > > This email is for your convenience only, you should > not rely on any information contained herein for > contractual or legal purposes. You should only rely > on information and/or instructions in writing and on > company letterhead signed by authorised persons. > _______________________________________________________________________ Conheça o novo Cadê? - Mais rápido, mais fácil e mais preciso. Toda a web, 42 milhões de páginas brasileiras e nova busca por imagens! http://www.cade.com.br --------------------------------------------------------------------------- ----------------------------------------------------------------------------
