- 27665/tcp from attacker to "master(s)"
- 27444/udp from "master(s)" to "daemons"
command l44adsl [arguments]
- 31335/udp from "daemons" to "master(s)"
- Master encrypts daemon list using Blowfish
- Master execution protected by crypt() encrypted password
- Daemon commands protected by crypt() encrypted passwords
- Root not required (uses unpriviledged ports)
- Master IP addresses visible (+)
- Enough strings to recognize daemon/master easily (+)
- Listening TCP/UDP ports can be seen with "lsof" (+)
- Attacker session not encrypted (+)
- "Root Kits" hide processes/files/directories (-)
- Ethernet switches make monitoring TCP/UDP traffic
Dave Dittrich <email@example.com>
Last modified: Mon Nov 1 22:12:00 PST 1999