Re: Am I infected with Back Orifice 2K?

From: Colin McKinnon (colin.deletethis_at_andthis.mms3.com)
Date: 09/21/05

• Next message: Atul: "Re: securing system after giving away root password"
• Previous message: Tuncay Sari: "Re: securing system after giving away root password"
• In reply to: Robert Glueck: "Am I infected with Back Orifice 2K?"
• Next in thread: Jani Mikkonen: "Re: Am I infected with Back Orifice 2K?"
• Reply: Jani Mikkonen: "Re: Am I infected with Back Orifice 2K?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 21 Sep 2005 09:34:36 +0100

Robert Glueck wrote:

> On my desktop machine, I'm running an iptables firewall that
> I've configured with the GUI program Firestarter. Right
> now, some ports are open to exchange files via bittorrent,
> using Azureus 2.3.0.4 (a java program).
>
> Looking at the active connections with Firestarter, I see
> the following entry among others:
>
> Source: my LAN address
> Destination: ......sb.sd.cox.net
> Port: 54321
> Service: Back orifice 2K
> Program: java
>
<snip>
>
> What does this mean? Is my machine infected with the trojan
> Back Orifice 2000? I think it's specific to Windows,

Yes. Firestarter is just reporting traffic on port 54321. It looks up a
daabase to find a human readable description associated with that service
(usually /etc/services) and prints it out for you to read ("Back Orifice
2K"). Knowing port numbers and ip addresses, and with sufficient privilege
it search through the open file list to find the pid which the local end of
the socket belongs to....and from that lookup the process name - in this
case java.

BO2K does not affect non-MS-Win machines (although it may be possible to
infect an emulated system). BO2K is not written in Java.

>
> What is going on and how can I investigate this further?
> I'd appreciate your advice.
>

It's nothing to worry about. If you want to know more learn how to use:
        netstat
        tcpdump
        iptraf
C.

---

• Next message: Atul: "Re: securing system after giving away root password"
• Previous message: Tuncay Sari: "Re: securing system after giving away root password"
• In reply to: Robert Glueck: "Am I infected with Back Orifice 2K?"
• Next in thread: Jani Mikkonen: "Re: Am I infected with Back Orifice 2K?"
• Reply: Jani Mikkonen: "Re: Am I infected with Back Orifice 2K?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Am I infected with Back Orifice 2K? ... > On my desktop machine, I'm running an iptables firewall that ... > I've configured with the GUI program Firestarter. ... > simply using port 54321 for file exchange because that port ... (comp.os.linux.security) Am I infected with Back Orifice 2K? ... On my desktop machine, I'm running an iptables firewall that ... I've configured with the GUI program Firestarter. ... now, some ports are open to exchange files via bittorrent, ... simply using port 54321 for file exchange because that port ... (comp.os.linux.security) Securing Ubuntu Linux (was: Re: sudo without password) ... when you first try to open a port. ... The way I've seen Windows Firewall ... Firestarter already allows this to be done. ... you work on your computer when you want to turn your brain on" -- ... (Ubuntu) Many hits registerd by firestarer ... Observing the firestarter logs on Debian I notice that many of the ... Backdoor-G or Sub-7 TCP on port 27374; ... (comp.security.firewalls) Re: DHCP appears not to be working ... >Did the firestarter open the dhcp ports? ... I think it broadcasts on port 68 ... When I ran the firestarter wizard, I added DHCP to the list of stuff I run. ... (RedHat)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2005-09