Hi, I think it is a pretty good idea to try to listen to the port yourself. Nice provision to listen to other protocols too.
However, has anyone encountered any backdoor where it runs a sniffer and only does certain actions when it sees a pre-defined header. Something like a covert channel but not quite. For example, it could sniff see a header with syn,fin,ack flags set then look further into the packet for commands and run that command locally and reply with the result. That way, no port is opened. You can't portscan yourself to check for suspicious opened ports. This script that you are running won't do as well. How to deal with these? Thomas Ng > -----Original Message----- > From: Daniel B. Cid [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 4:19 AM > To: [EMAIL PROTECTED] > Subject: Finding hidden backdoors > > I saw some people talking about rootkits that hidden process/ports. > One think that i always do to see what ports are open is to run this > perl script: > > > use IO::Socket; > for($i=0;$i<=65555;$i++) > { > $server[$i] = IO::Socket::INET->new( > Proto => 'tcp', > LocalPort => $i, > Listen => SOMAXCONN, > Reuse => 1) or print "Port $i Open \n" unless $server[$i]; > close ($server[$i]); > } > > This is good because if "netstat" or "lsof" or "fuser" or any other > program is trojaned , or if it has any firewall and nmap is not finding > all the open ports, this script will show ... The other benefit is that > you cant hidden from it using any LKM code... > What do you thing ? > > thanks > > Daniel B. Cid > > > > > > > -------------------------------------------------------------------------- > - > -------------------------------------------------------------------------- > -- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
