-
August 4th, 2005, 12:31 PM
#1
Junior Member
Port Knocking Trojan detection?
I want to detect unknown trojans that are waiting for a port knock sequence to activate?
I want to do this on windows 2000 and Linux platforms.
I also want to deny them the ability to receive their knocks to a Linux platform, however I do not have a separate hardware firewall?
Any suggestions?
-
August 4th, 2005, 02:08 PM
#2
Let's think of the logistics of a single port knock sequence:-
Start at port 1 and send a SYN
Scan the other 65534 ports with a SYN and look for a SYN/ACK
Move to port 2 and Send a SYN
Scan the other 65534 ports with a SYN and look for a SYN/ACK
etc. etc. etc.
How fast can you manage this without causing a self imposed Denial of Service, (DoS). If you can't do it fast enough then you will take all day doing it.
Might I suggest a Host based IDS that will watches your drive for changed/added/deleted files. You may take a while to work out which files to exclude depending upon your level of paranoia but it is a much better system than trying to scan for a port knocking trojan... Note: we haven't even looked at a trojan that requires a double knock or more....
Also, (I'm assuming that your linux box is your firewall), if the implementation of the firewall is correct then the firewall would be injected between the NIC and the Trojan so if all uneccesary ports are firewalled then the trojan would never receive the knock sequence.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 4th, 2005, 02:22 PM
#3
Junior Member
Unfortunately my paranoia is very high.
Linux: Assuming a trojan is monitoring a port that is closed as far as the outside world is concerned, is there a way of detecting this monitoring. I am happy to patch the kernel if necessary.
(wrong group, but... I use tripwire as an IDS, do you know if file changes can be hidden, assuming the tripwire system is on read-only media).
3rd, Can a trojan get infront of iptables to monitor ports?
-
August 4th, 2005, 02:28 PM
#4
I'm the wrong guy for the Linux stuff but I'm sure someone else will pipe up.
IIRC, Tripwire uses an MD5 hash of the file. Thus, even if you are looking at a kernel rootkit, it would be approximating impossible to hide the trojan without Tripwire detecting it.
GFI has a free Integrity checker at www.gfi.com for Windows that functions quite well.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 5th, 2005, 02:31 AM
#5
Linux: Assuming a trojan is monitoring a port that is closed as far as the outside world is concerned, is there a way of detecting this monitoring.
netstat ? If that paranoid, use a known good copy, not the one on the system. Maybe copy it to read only media during the initial install, before the box gets hooked to anything; you know, the same time you installed tripwire.
I use tripwire as an IDS, do you know if file changes can be hidden, assuming the tripwire system is on read-only media
Yes. There are rootkits with LKMs ( Loadable Kernel Modules ) that will hide file changes for programs such as Tripwire. There are ( or at least were ) ways to load a module into a running kernel even if the kernel was built without loadable kernel support. There are papers, as well as the rootkits, freely available on the Internet.
If someone gets root access they can, if they know what they are doing, do pretty much what they want.
3rd, Can a trojan get infront of iptables to monitor ports?
Don't know of any, don't see why not. SNORT does it. But might it not just be easier to install hacked versions of iptables ( rules, etc. ) at this point?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
August 5th, 2005, 09:53 AM
#6
Junior Member
Thanks, I'll create an IDS solution based on puppy linux.
-
August 6th, 2005, 03:31 AM
#7
Originally posted here by rumex
3rd, Can a trojan get infront of iptables to monitor ports?
Sure, anything using bpf (berkley packet filters) will see everything hitting the NIC...
Ammo
Credit travels up, blame travels down -- The Boss
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|