Re: Back Orifice - RedHat 7 [Update]

From: Neophyte (neophyte@news.snel.net)
Date: 06/28/02


From: "Neophyte" <neophyte@news.snel.net>
Date: Fri, 28 Jun 2002 10:33:36 +0200

Hi Nick,

Thanks for the input. Yes, I know (now) what the deal is with Back Orifice
and I do agree with your statement about "a trojaned binary...etc", which is
in part how this whole string started. I wanted to know if any else had
experienced the same thing...with RedHat...not knowing or suspecting that it
was PortSentry that's producing the output. Now that I understand a little
more about how it works, I'm somewhat at ease about it, but I think in this
day and age, a little paranoia isn't necessarily a bad thing. We all know
how a little creativity in this field goes a long way. We all like to
entertain the possibilities. ;^)

In regards to your suggestions, I've not tried the "lsof" query you suggest,
but I will and I'm afraid I've not tried telnetting to the port as I didn't
include telnet in the installation. I know and trust myself enough to know
that I'll ultimately sort this all out, but I do and will appreciate any
shoves in the right direction. After all, can we ever be too curious,
creative or careful or responsible in regards to the net?

Thanks again,
Gabriel

"Nick Adams" <nicka@exis.net> wrote in message
news:3d1bb909$1_2@grouper.exis.net...
>
> "Neophyte" <neophyte@news.snel.net> wrote in message
> news:1025162183.346818@news.knoware.nl...
> > Hello Again,
> >
> > I once again installed RedHat 7X on another box to make sure that I
wasn't
> > delusional. The procedure I followed was to first install RedHat 7.1
> without
> > X.What I did choose was the Networked Workstation and DialUp
Workstation.
> I
> > also went in and purged the installation of programs I didn't want and
> added
> > a couple that I did. After installation, I ran nmap and it revealed
> nothing
> > unusual (as far as I know), just: ssh, smtp....in other words, nothing
> more
> > than I would expect. Afterwards, I installed other peripheral packages
> (all
> > included with the RH distribution), including portsentry, hostsentry,
> > sniffit, snort, aide...etc.
> >
> > I then proceeded to upgrade that installation to RH7.2 and telling it to
> > upgrade the existing installation. I did go in and purge a lot of the
> > programs from this installation as well, but the bloat is ever present
in
> > some regards (grrrr). In any event, I went with what was acceptable for
> now
> > and proceeded with the upgrade. I once again ran portsentry against the
> tcp
> > and udp protocols to which I received no alarm. I then ran nmap again,
and
> > "sure as shootin' " there it was:
> > port 54320 -tcp open bo2k!!!
> >
> > Concomitant to this is the fact that after the upgrade to 7.2 nmap
showed
> a
> > lot of other ports that were open which I can only conclude, resulted
from
> > said upgrade. These include:
> > 1 - tcpmux
> > 587 - unknown
> > 1080 - socks
> > 6667 - irc
> > 12345/6 - NetBus
> > 31337 - elite
> > 32771/2/3/4 - sometimes-rpc5/7/9/11
> > 54320 - bo2k
> >
> > some of which I'd have never chosen to put on a box I'd use as a
firewall
> > unless I was totally out of my gord. Again, if this is all legitimate, I
> can
> > accept it, but I can't understand why bo2k client or server would be
> > included in this installation and secondly how such a barebones
> installation
> > with RH 7.1 turns into this with 7.2.
> >
> > If anyone can enlighten me on this subject, I'd appreciate it, but until
> > then, I'll just try another distribution. I'm willing to admit that
maybe
> > some of this has to do with my incomplete understanding of Linux (if
such
> a
> > state of complete understanding exists), but I do know a thing or two,
and
> > this strikes me as odd. So, before I go online with Linux, via the
cable,
> I
> > want to make sure that I'm using and have configured as secure a system
as
> > I'm capable of and I'm in no rush to do so.
> >
> > I hope I've been sufficiently informative. Your help is greatly
> appreciated.
> >
> > Gabriel
> >
> > P.S. I also ran netstat -aplt which also failed to display the bo2k
entry,
> > but did include all of the above stated and then some...go figure.
> >
> >
>
> First off Back Orrifice is a windows backdoor, not to say that a trojan'd
> binary or shell couldn't run on the same port as BO. The TCP 587 is
> sendmail submission so no problem there. What does lsof -i show for open
TCP
> ports/programs. I am 99.999% positive porty sentry is faking the open
ports;
> because thats how it works! What happens when you telnet to the port:
>
> telnet localhost 54320
>
> Probably nothing more than a log to port sentry (actually it may ignore
logs
> from loopback)! Anyways try shutting down port/host sentry and scan your
> machine ;)
>
> Nick
>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.372 / Virus Database: 207 - Release Date: 6/20/2002
>
>



Relevant Pages

  • Re: Back Orifice - RedHat 7 [Update]
    ... include telnet in the installation. ... >> upgrade the existing installation. ... > binary or shell couldn't run on the same port as BO. ... What happens when you telnet to the port: ...
    (comp.os.linux.security)
  • Re: How do I create a USB printer port manually
    ... The Lexmark printer drivers are known to do some strange things, so I suggest "cleaning" your print spooler environment, then doing the installation from scratch. ... I happen to have a Canon IP 8500 which installed without a hitch on my XP SP2 desktop following the instructions from Canon. ... I'm not familiar with the Dell computers specifically, but we had some computers at work where things like mice would only work properly when connected directly to the laptop as opposed to through a "port replicator" or "docking cradle". ...
    (microsoft.public.win2000.printing)
  • Re: FreeBSD and accessibility
    ... If a unix system had a serial tty port, ... As for installations of FreeBSD on to a new system, ... installation CD so that it now comes up accessing both the local ... EGA, CGA) and 0x8000 for b/w screens. ...
    (freebsd-questions)
  • Re: I am happy with XP:s integreted firewall!
    ... You CAN attack any open port if something is listening, ... CPU upto 100% and keep it there for as long as the cracker kept sending ... > wide world (I have made just one installation of windows XP and I allmost ...
    (comp.security.firewalls)
  • Re: MassStorageDrivers via BootCD?
    ... port non-whql-signed device drivers ... n't extend the existing installation partition ... ternet information services documentation ... ternet information services administration ...
    (microsoft.public.de.german.win2000.setup)