Detecting backdoors

teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
I came across a question that implies that backdoors can be detected by "proper configuration management processes."

I'm not sure how this would be accomplished. I would think hashing of system files and comparing hashes against the baseline - which could be considered part of configuration management. Am I on the right track?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D

Comments

  • Shadow RealmShadow Realm Member Posts: 15 ■□□□□□□□□□
    Are you talking about OS backdoors (Like rootkits) or Web app backdoors like

    <?php
    if(isset($_GET) && $_GET == 'urpwd'){
    system($_GET);}
    ?>

    Web app ones can sometimes (Although rarely) like this "Warning:" "Cannot execute a blank command in"

    Otherwise just look through your access logs (if they were sloppy) otherwise you can look @ recent files unless they used touch. tldr; It's pretty hard to find one if they know what they are doing
    Currently Working On: CompTIA A+ and MCITP: Windows 7
    Want To Complete: Network+, Security+, Linux+, CCENT, CCNA, CCNA Security, RHCE, CISSP (Associate)
  • samurai86samurai86 Member Posts: 104 ■■□□□□□□□□
    I think you are on the right track, that may be on way to detect a back door, or other malware. What Shadow Realm mentions also is true in regards to backdoors with coded application, or web based applications.

    Within a system you may be also to detect a backdoor by documenting things like known services, registry run keys, or other start up locations. By knowing what should be here, you would be able to identify something that does not belong and you then would be able to investigate. Also monitoring network traffic may also be able to help you detect a back door, but not sure if the configuration management process would assist in regards to packet analysis.
    Bachelor's of Applied Science in Technology Management - Information Security Assurance (St. Petersburg College)
    Masters of Science in Digital Forensics (University of Central Florida)
  • Shadow RealmShadow Realm Member Posts: 15 ■□□□□□□□□□
    Alot of rootkits are able to "Hide" from common looks like that, Such as Jynx Jynx Rootkit/2.0 - Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools

    • Hiding from netstat
    • Hiding from ps/top and /proc
    • File hiding
    • Advanced anti-removal features
    • SSL connect accept() hook
    Currently Working On: CompTIA A+ and MCITP: Windows 7
    Want To Complete: Network+, Security+, Linux+, CCENT, CCNA, CCNA Security, RHCE, CISSP (Associate)
Sign In or Register to comment.