| |||||||||||||
A new Adore root kitA new Adore root kitPosted Mar 18, 2004 11:56 UTC (Thu) by fergal (subscriber, #602)In reply to: A new Adore root kit by mikeraz Parent article: A new Adore root kit
What would be needed is a "reverse port scanner". Something that runs on the machine and attempts to bind to address:port for every address and port on the machine. The secret port will show up as already in use.
(Log in to post comments)
A new Adore root kit Posted Mar 18, 2004 17:28 UTC (Thu) by RobSeace (subscriber, #4435) [Link] I loved your idea so much, I whipped up just such a thing as a quick Perl script: http://www.magrathea.com/~ras/misc/rpscan... ;-)Perl isn't my strongest language (I usually write pure C code), but it seemed like the best bet for such a quick and dirty task... But, any strong Perl coders, forgive any obvious mistakes on my part... ;-)
A new Adore root kit Posted Mar 19, 2004 4:00 UTC (Fri) by xorbe (subscriber, #3165) [Link] Not if the module doesn't bind to the port until it sees the secret knock goes by. That's the whole point...
A new Adore root kit Posted Mar 24, 2004 6:38 UTC (Wed) by jzbiciak (✭ supporter ✭, #5246) [Link] Won't it at least have to bind to the first port of the "knocking" sequence?
A new Adore root kit Posted Apr 3, 2004 0:30 UTC (Sat) by alterself (guest, #1746) [Link] The idea is not that you bind to the port... but that you log attempts to open the port.On a normal tcp/ip stack... the stack sends a request denied on attempts to open closed ports. I would imagine that if the module tied into the tcp/ip stack, it could monitor for attempts to open a specific set of ports...
|
|||||||||||||