Re: Am I infected with Back Orifice 2K?
From: Mike H (hanmjau_at_yahoo.com.au)
Date: Wed, 21 Sep 2005 17:33:23 +1000
Robert Glueck wrote:
> On my desktop machine, I'm running an iptables firewall that
> I've configured with the GUI program Firestarter. Right
> now, some ports are open to exchange files via bittorrent,
> using Azureus 18.104.22.168 (a java program).
> Looking at the active connections with Firestarter, I see
> the following entry among others:
> Source: my LAN address
> Destination: ......sb.sd.cox.net
> Port: 54321
> Service: Back orifice 2K
> Program: java
> This active connection is associated with one of the files
> that is currently open for down/uploading.
> What does this mean? Is my machine infected with the trojan
> Back Orifice 2000? I think it's specific to Windows,
> though. Or is this bittorrent client or server ...cox.net
> simply using port 54321 for file exchange because that port
> has been assigned at random and Firestarter is flagging it
> as using the service Back Orifice 2K because that port may
> be associated with that trojan?
> What is going on and how can I investigate this further?
> I'd appreciate your advice.
Symantec, Computer Associates and Trend Micro have very comprehensive
virus encyclopedias which can help you to determine the behaviour of
viruses and (in CA's case) spyware.