Welcome to The World Of
 
   TMM International Home : Mypage
TMM India Home : Mypage  

:: Back 2 School
Finance
Human Resources
Information Technology
Manufacturing
Marketing
Strategic Management
 

Back 2 School > IT > Safety @ Work

Backdoors Continued
Here are some more common network protocol backdoors.

Network traffic backdoors

Not only do intruders want to hide their tracks on the machine, but also they want to hide their network traffic as much as possible. These network traffic backdoors sometimes allow an intruder to gain access through a firewall. There are many network backdoor programs that allow an intruder to set up on a certain port number on a machine that will allow access without ever going through the normal services. Because the traffic is going to a non-standard network port, the administrator can overlook the intruder's traffic. These network traffic backdoors are typically using TCP, UDP, and ICMP, but it could be many other kinds of packets.

TCP Shell Backdoors

The intruder can set up these TCP Shell backdoors on some high port number possibly where the firewall is not blocking that TCP port. Many times, they will be protected with a password just so that an administrator that connects to it will not immediately see shell access. An admin can look for these connections with netstat to see what ports are listening and where current connections are going to and from. Many times, these backdoors allow an intruder to get past TCP Wrapper technology. These backdoors could be run on the SMTP port, which many firewalls allow traffic to pass for e-mail.

UDP Shell Backdoors

Administrator many times can spot a TCP connection and notice the odd behavior, while UDP shell backdoors lack any connection so netstat would not show an intruder accessing the Unix machine. Many firewalls have been configured to allow UDP packets for services like DNS through. Many times, intruders will place the UDP Shell backdoor on that port and it will be allowed to by-pass the firewall.

ICMP Shell Backdoors

Ping is one of the most common ways to find out if a machine is alive by sending and receiving ICMP packets. Many firewalls allow outsiders to ping internal machines. An intruder can put data in the Ping ICMP packets and tunnel a shell between the pinging machines. An administrator may notice a flurry of Ping packets, but unless the administrator looks at the data in the packets, an intruder can be unnoticed.

Encrypted Link

An administrator can set up a sniffer trying to see the data. However, an intruder can add encryption to the Network traffic backdoors. It then becomes almost impossible to determine what is actually being transmitted between two machines.

Windows NT

Windows NT does not easily allow multiple users on a single machine and remote access similar to Unix. It thus becomes harder for the intruder to break into Windows NT, install a backdoor, and launch an attack from it. Thus you will find more frequently network attacks that are launched from a Unix system than Windows NT. As Windows NT advances in multi-user technologies, this may give a higher frequency of intruders who use Windows NT to their advantage. If this does happen, many of the concepts from Unix backdoors can be ported to Windows NT and administrators can be ready for the intruder. Today, there are already telnet routines available for Windows NT. With Network Traffic backdoors, they are very feasible for intruders to install on Windows NT.

Feedback or Comments?

Designed and Maintained by C & K Management Limited

© Copyright 2003 C & K Management Limited