Re: Back Orifice 2000

[Mikael Olsson <mikael.olsson@enternet.se>]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]



John Nicholls wrote:
> 
> [trying to limit outbound access in case of trojans]
>
> How about NOT allowing http access from inside but only E-mail e.g. the
> OpenBsd Firewall is running Sendmail and DNS and only accepting SMTP tcp on
> Port 25 and DNS udp/tcp on Port 53 and redirects to a web server running on
> port 80
> on a FreeBSD Box. The OpenBSD box would also be running pop3 which is only
> accessable from the inside. The inside users send mail via the smtp server
> and receive mail via pop3 but only from the inside. Can a trojan tunnel
> through this??

Well... I've seen TCP implemented on top of DNS. People I know claim to have 
seen a slow but working version of NFS implemented on top of e-mail.

As I said: anything can be tunneled on top of everything, and there
isn't a darn thing you can do about it.

However, your approach seems sensible. Your default trojan would
definately attempt port 80 outbound, since this is the most common
port open in the world. Keeping that port closed is likely to make
it much much harder for a trojan to connect out. (But still far
from impossible).

Good luck :)

/Mike

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson@enternet.se
-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]