Results 1 to 7 of 7

Thread: Port Knocking Trojan detection?

  1. #1
    Junior Member
    Join Date
    Aug 2005
    Posts
    3

    Port Knocking Trojan detection?

    I want to detect unknown trojans that are waiting for a port knock sequence to activate?
    I want to do this on windows 2000 and Linux platforms.
    I also want to deny them the ability to receive their knocks to a Linux platform, however I do not have a separate hardware firewall?
    Any suggestions?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Let's think of the logistics of a single port knock sequence:-

    Start at port 1 and send a SYN
    Scan the other 65534 ports with a SYN and look for a SYN/ACK
    Move to port 2 and Send a SYN
    Scan the other 65534 ports with a SYN and look for a SYN/ACK
    etc. etc. etc.

    How fast can you manage this without causing a self imposed Denial of Service, (DoS). If you can't do it fast enough then you will take all day doing it.

    Might I suggest a Host based IDS that will watches your drive for changed/added/deleted files. You may take a while to work out which files to exclude depending upon your level of paranoia but it is a much better system than trying to scan for a port knocking trojan... Note: we haven't even looked at a trojan that requires a double knock or more....

    Also, (I'm assuming that your linux box is your firewall), if the implementation of the firewall is correct then the firewall would be injected between the NIC and the Trojan so if all uneccesary ports are firewalled then the trojan would never receive the knock sequence.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Aug 2005
    Posts
    3
    Unfortunately my paranoia is very high.
    Linux: Assuming a trojan is monitoring a port that is closed as far as the outside world is concerned, is there a way of detecting this monitoring. I am happy to patch the kernel if necessary.
    (wrong group, but... I use tripwire as an IDS, do you know if file changes can be hidden, assuming the tripwire system is on read-only media).
    3rd, Can a trojan get infront of iptables to monitor ports?

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm the wrong guy for the Linux stuff but I'm sure someone else will pipe up.

    IIRC, Tripwire uses an MD5 hash of the file. Thus, even if you are looking at a kernel rootkit, it would be approximating impossible to hide the trojan without Tripwire detecting it.

    GFI has a free Integrity checker at www.gfi.com for Windows that functions quite well.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Linux: Assuming a trojan is monitoring a port that is closed as far as the outside world is concerned, is there a way of detecting this monitoring.
    netstat ? If that paranoid, use a known good copy, not the one on the system. Maybe copy it to read only media during the initial install, before the box gets hooked to anything; you know, the same time you installed tripwire.

    I use tripwire as an IDS, do you know if file changes can be hidden, assuming the tripwire system is on read-only media
    Yes. There are rootkits with LKMs ( Loadable Kernel Modules ) that will hide file changes for programs such as Tripwire. There are ( or at least were ) ways to load a module into a running kernel even if the kernel was built without loadable kernel support. There are papers, as well as the rootkits, freely available on the Internet.

    If someone gets root access they can, if they know what they are doing, do pretty much what they want.

    3rd, Can a trojan get infront of iptables to monitor ports?
    Don't know of any, don't see why not. SNORT does it. But might it not just be easier to install hacked versions of iptables ( rules, etc. ) at this point?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Junior Member
    Join Date
    Aug 2005
    Posts
    3
    Thanks, I'll create an IDS solution based on puppy linux.

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by rumex

    3rd, Can a trojan get infront of iptables to monitor ports?
    Sure, anything using bpf (berkley packet filters) will see everything hitting the NIC...


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •