« Remembering Nethox post
Translation to english »

Hiding remote access

Language / Lenguaje:
Testerone Hgh Medical Atrovent Anxiety Byetta Lisinopril Interaction Migraine And Depakote Flatulence Glucophage La Piazza Allegra Hamilton Ontario Is There Ibuprofen In Cafergot Hoodia Gardonia Effect Blood Pressure Headaches And Prozac Next Day Cialis Prozac Causes Parkinsons Disease Imitrex And Alcohol Lipitor Versus Levostatin Fda Approval For Risperdal 1993 Tramadol Acet D Cup Breast Augmentation Faxine Effexor Dysfunction Erectile Levitra Femara As Fertility Drug Bacteria Producing Chitosan Using Crabshell Ultram End Of Dose Prednisone And Hyperglycemia Erectile Dysfunction And Lipitor Viagra Coverage Ca Dilantin Levels In Blood Interactions Symptoms Of Celexa And Biaxin Colchicine Overdose Effects Elavil Used In Suicide Fosamax Joint And Muscle Pain Zoloft Sertraline Tablets Getting Off Effexor Xr Cialis Buy It Online Huge Discount Clomid Affects Hcg Levels Aciphex Directions Reasons Why Viagra Would Be Ineffective Medical Research For Levitra Relafen Neuropathy Norvasc And Peripheral Edema Levoquin And Coumadin What To Eat When Taking Coumadin Prolong Use Of Lexapro Hoodia And Medicine Interactions Ultram Tramadol Hci Tablet Zocor Cost Per Pill Effects Of Levitra On Women Viagra Sale Cheap Colchicine Gout Colchicine Treatment Gout Actos Takeda Pharm Lasix Symtoms Lioresal Prescribing Information

Hi.
I almost have finished the new remote access connection hiding system. Before it was done all messy by redirecting read’s syscall, what would sometimes cause errors when doing a netstat. Now I will do it redirecting the function that /proc/net/tcp shows (tcp_seq_show I think it was called), I already redirected it, only need to make the new one that will check if the ip is the one that has to be hidden or not, etc. In a couple of days or less I think it will be ready, there was no need for a slapdash because the symbol to get it redirected is exported. Later when its finished it has to be added to the uninstall module because it has to be left like it was, if not when we do a netstat, it will jump to our function that does not exist and the process will fail.
Greetings.

Posted by RaiSe

This entry was posted on Tuesday, April 3rd, 2007 at 12.31 pm and is filed under news. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “Hiding remote access”

  1. David Reguera Garcia Says:
    2007-04-03 at 8.15 pm

    Language / Lenguaje: Spanish / Español

    Good! lets see if we can have a public version for the 20th of this month and we upload it at http://www.enye-sec.org :-), Greetings.

  2. RaiSe Says:
    2007-04-17 at 2.08 pm

    Language / Lenguaje: Spanish / Español

    Hi. I have finished hidding the connection subject. It looks much better now, it does not give errors as it used to do before depending if read was failing. Also now the socket numbers do not come up skipped when doing a cat /proc/net/tcp like before, that it would go from 4 to 6 with the consequently adminstrator annoyence. Apart I have deleted a lot of code from read.d so it has becomed much more optimized, especially because if we do less fiddling with sys_read much better. Tonight I will pass it to you and you check it, ok?. It is a version with all the new things in it (new handler, etc.), but not the module unloader that I did not have the time to fit it inside. How are you doing with the pids?. Greetings ;).

  3. David Reguera Garcia Says:
    2007-04-17 at 9.25 pm

    Language / Lenguaje: Spanish / Español

    Not bad, but I have it parked because work and the rest, pass me that when you are able, greetings.

  4. RaiSe Says:
    2007-04-18 at 3.40 pm

    Language / Lenguaje: Spanish / Español

    I have just emailed it to you . By the way I have noticed a bug. When entering X (i do not think is because X itself, probably it reproduces with other program with intensive resources), if you open remote access and get out from X with the remote access opened it hangs. I thought it was something to do with the new hidding connection system but is not, because when deactivated it happens the same, it must be dragged from the past code. We will have to look at it again, i will try the v1.1 to see if also happens. If X are closed with remote access switched off nothing happens. Greetings.

  5. RaiSe Says:
    2007-04-18 at 3.44 pm

    Language / Lenguaje: Spanish / Español

    With the v1.1 also happens, we will have to look at it deeply.. Greetings.

  6. David Reguera Garcia Says:
    2007-04-18 at 8.33 pm

    Language / Lenguaje: Spanish / Español

    Very good, I will see if I can have a look at it tomorrow, I am really busy :_), thanks for sending it.

  7. RaiSe Says:
    2007-04-19 at 2.36 pm

    Language / Lenguaje: Spanish / Español

    Damn, what we just needed.. haha, the hidding procces system does not work. The remote shell is seen when doing a ‘ps awx’, I think the ‘view’ system to see the processes has changed with the last kernels, it does not use anymore getdents at /proc it must be using another system or method, so the hidden processes can be seen, and probably the X must be waiting for a child (the shell) or something similar that is why it hangs. We have to check the hidding process system, to the v1.1 in the last kernels (to – at the 2.6.17) it happens the same. Greetings.

  8. RaiSe Says:
    2007-04-24 at 4.19 pm

    Language / Lenguaje: Spanish / Español

    Hi. hidding the process it is fixed, it was because it was using getdents instead of getdents64, a hacked_getdents was added and it is fixed (it must be because depending of ps version, uses getdents or getdents64, now the 2 of them are hooked). The hanging problem persists, also it happens when restarting at the system when it does a killall -TERM. This means when TERM is sent it crashes, now I have not got a clue why, we will have to keep looking. Greetings.

Leave a Reply

You must be logged in to post a comment.