Re: Am I infected with Back Orifice 2K?

From: Mike H (hanmjau_at_yahoo.com.au)
Date: 09/21/05


Date: Wed, 21 Sep 2005 17:33:23 +1000

Robert Glueck wrote:
> On my desktop machine, I'm running an iptables firewall that
> I've configured with the GUI program Firestarter. Right
> now, some ports are open to exchange files via bittorrent,
> using Azureus 2.3.0.4 (a java program).
>
> Looking at the active connections with Firestarter, I see
> the following entry among others:
>
> Source: my LAN address
> Destination: ......sb.sd.cox.net
> Port: 54321
> Service: Back orifice 2K
> Program: java
>
> This active connection is associated with one of the files
> that is currently open for down/uploading.
>
> What does this mean? Is my machine infected with the trojan
> Back Orifice 2000? I think it's specific to Windows,
> though. Or is this bittorrent client or server ...cox.net
> simply using port 54321 for file exchange because that port
> has been assigned at random and Firestarter is flagging it
> as using the service Back Orifice 2K because that port may
> be associated with that trojan?
>
> What is going on and how can I investigate this further?
> I'd appreciate your advice.
>
> Thanks,
>
> Robert

Symantec, Computer Associates and Trend Micro have very comprehensive
virus encyclopedias which can help you to determine the behaviour of
viruses and (in CA's case) spyware.

Cheers
Mike



Relevant Pages

  • Am I infected with Back Orifice 2K?
    ... On my desktop machine, I'm running an iptables firewall that ... I've configured with the GUI program Firestarter. ... now, some ports are open to exchange files via bittorrent, ... simply using port 54321 for file exchange because that port ...
    (comp.os.linux.security)
  • Securing Ubuntu Linux (was: Re: sudo without password)
    ... when you first try to open a port. ... The way I've seen Windows Firewall ... Firestarter already allows this to be done. ... you work on your computer when you want to turn your brain on" -- ...
    (Ubuntu)
  • Many hits registerd by firestarer
    ... Observing the firestarter logs on Debian I notice that many of the ... Backdoor-G or Sub-7 TCP on port 27374; ...
    (comp.security.firewalls)
  • Re: Am I infected with Back Orifice 2K?
    ... > I've configured with the GUI program Firestarter. ... > now, some ports are open to exchange files via bittorrent, ... Firestarter is just reporting traffic on port 54321. ...
    (comp.os.linux.security)
  • Re: DHCP appears not to be working
    ... >Did the firestarter open the dhcp ports? ... I think it broadcasts on port 68 ... When I ran the firestarter wizard, I added DHCP to the list of stuff I run. ...
    (RedHat)