Comments on: Backdoors available for analysis http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/ Tu fui, ego eris Fri, 15 Aug 2014 11:26:27 +0000 hourly 1 http://wordpress.org/?v=4.1.5 By: dnardoni http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/comment-page-1/#comment-227 Thu, 17 Jan 2008 20:18:20 +0000 http://writequit.org/blog/?p=126#comment-227 Lee,

I would consider running some of the command with trusted binaries maybe off a cd or usb drive to a mapped location maybe using netcat

“Netstat -an” this will list open ports
“netstat -rn” this will list your routing table
“lsof” list open files
“ps aux” list running processes
many other commands could be handled if you had a forensic image, such as reviewing user accounts, hidden files possibly created, deleted files, analysis of file data/timestamps around the time of the incident.

Hope that helps a bit

Dave

]]>
By: Lee Hinman http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/comment-page-1/#comment-230 Wed, 16 Jan 2008 22:05:16 +0000 http://writequit.org/blog/?p=126#comment-230 This machine is a honeypot of sorts, users were allowed accounts on the machine with a notice that their actions were monitored.

They actually got on there from a user wget’ing them on :)

]]>
By: Joel ealer http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/comment-page-1/#comment-229 Wed, 16 Jan 2008 21:56:43 +0000 http://writequit.org/blog/?p=126#comment-229 how did the backdoors get on the box?

]]>
By: Lee Hinman http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/comment-page-1/#comment-228 Wed, 16 Jan 2008 18:31:43 +0000 http://writequit.org/blog/?p=126#comment-228 @dnardoni:
Thanks for the feedback! The machine is indeed a FreeBSD 6.2 machine running on a SPARC processor (I updated the post to tell this). I will definitely be doing a portscan on the machine to compare what netstat says to what nmap sees. As far as creating a forensic image, I’m afraid I’m not sure the best way to go about this. I’m worried that even if I do create an image, I won’t be able to work on it on any of my machines (big-endian vs. little-endian).

I’m planning on providing more details and output from different commands as I work through the analysis. Thanks for the advice so far! :)

]]>
By: dnardoni http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/comment-page-1/#comment-231 Wed, 16 Jan 2008 18:21:29 +0000 http://writequit.org/blog/?p=126#comment-231 Are these systems windows or unix/linux?

I would recommend you collect all the open ports and processes running on the system.

Also it may be valuable to port scan the system remotely to compare what ports the system says are open vs. what you find remotely. Maybe a rootkit hiding processes or open ports?

Also I would make a forensic image of the systems using ddcfldd and that way you can offer the images up for analysis should you wish.

You already seem to be very adept at capturing network based information so I am sure you have done that already.

If possible it may be worth trying to image RAM as well.

After forensic images have been made those with reverse engineering experience can see what the malware is capable of.

If you can provide some more detail might be able to give you more ideas.

Dave

]]>