Re: Am I infected with Back Orifice 2K?

From: Mike H (hanmjau_at_yahoo.com.au)
Date: 09/21/05


Date: Wed, 21 Sep 2005 17:33:23 +1000

Robert Glueck wrote:
> On my desktop machine, I'm running an iptables firewall that
> I've configured with the GUI program Firestarter. Right
> now, some ports are open to exchange files via bittorrent,
> using Azureus 2.3.0.4 (a java program).
>
> Looking at the active connections with Firestarter, I see
> the following entry among others:
>
> Source: my LAN address
> Destination: ......sb.sd.cox.net
> Port: 54321
> Service: Back orifice 2K
> Program: java
>
> This active connection is associated with one of the files
> that is currently open for down/uploading.
>
> What does this mean? Is my machine infected with the trojan
> Back Orifice 2000? I think it's specific to Windows,
> though. Or is this bittorrent client or server ...cox.net
> simply using port 54321 for file exchange because that port
> has been assigned at random and Firestarter is flagging it
> as using the service Back Orifice 2K because that port may
> be associated with that trojan?
>
> What is going on and how can I investigate this further?
> I'd appreciate your advice.
>
> Thanks,
>
> Robert

Symantec, Computer Associates and Trend Micro have very comprehensive
virus encyclopedias which can help you to determine the behaviour of
viruses and (in CA's case) spyware.

Cheers
Mike