* RoMaN SoFt / LLFB !! wrote on Thu, Apr 12, 2001 at 14:35 +0200:
If I were a trojan maker I'd make my trojan to use the client (victim) to server (attacker) method using port 80 as destination port (the chances this port is allowed are high).
Yep, simply use HTTP for communication. Sniffing on network may show proxies. GET "http://geocities.com/url/comm.cgi?params". So I would so that: sniff for proxy if direct connects don't work. But there are more chances: ICMP payload or setting some bits in the IP headers. Nice communication, 448 bits per bit overhead (1 "payload" bit per packet) :) But should work and should be difficult to detect; I assume most people would think this is a kind of DoS [which is it, too :)]. Another nice idea was told i.e. on bugtraq: just take a raw socket, process all input via DES. Some bytes (i.e. last 20bytes or so of each packets) are interpreted as hash. If the hash matches, execute the decrypted instruction. Maybe a BASE64 decode is tried first [we may sniff an email] or whatever. This traffic may be on any hijacked TCP connection, an UDP packet or even IP proto 50. Nice idea - maybe combined with some ARP flooding, since switches are not uncommon... Or sniff for allowed packets: analyse the traffic and emulate such packets (same destination port, same source IP), this should work for some cases, too (i.e. SSH maybe or whatever). But ipchains -l [Kurt: surely you know that -s defaults to 0.0.0.0/0.0.0.0] -j DENY and things like snort helps you to detect such attemts. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.