Hosting Provided By

RE: Finding hidden backdoors

From: Thomas Ng <thomas(at)singcert.org.sg>
Date: Thu Jul 31 2003 - 21:43:20 EDT

Hi,
I think it is a pretty good idea to try to listen to the port yourself. Nice provision to listen to other protocols too.

However, has anyone encountered any backdoor where it runs a sniffer and only does certain actions when it sees a pre-defined header. Something like a covert channel but not quite. For example, it could sniff see a header with syn,fin,ack flags set then look further into the packet for commands and run that command locally and reply with the result.

That way, no port is opened. You can't portscan yourself to check for suspicious opened ports. This script that you are running won't do as well.

How to deal with these?

Thomas Ng

> -----Original Message-----

Received on Fri Aug 1 12:14:15 2003

This message: [ Message body ]
Next message: Jech: "RE: hidden processes"
Previous message: Ulisses Eduardo: "Bank Automated Teller Machine Biometrics"
In reply to: Daniel B. Cid: "Finding hidden backdoors"
In reply to Mann, Bobby: "RE: Firewall and DMZ topology"
Next in thread: Daniel Cid: "RE: Finding hidden backdoors"
Reply: Daniel Cid: "RE: Finding hidden backdoors"
Reply: gminick: "Re: Finding hidden backdoors"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:06:48 EDT