Preface: Back Orifice scanLogo -Internet Security Systems

Back Orifice scan
advICE :Intrusions : 2001501
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Someone has scanned the system for the "Back Orifice" trojan. Back Orifice scans are one of the most frequent attacks seen on the Internet.

Details

Your machine has been scanned, but not targeted. This means the hacker is scanning thousands of machines on the Interent hoping to find one that has been compromised by Back Orifice. The hacker isn't necessarily going after you in particular.

Most compromises occur because the hacker posts an infected program or document on the Internet and hopes that people will run it. The hacker then scans the Internet for these compromised machines.

In other words, while this is a clear sign of an "attack", it isn't necessarily directed against your machine. Furthermore, even if your machine has been compromised by Back Orifice, our firewall subsystem will block access to it.

More Details

A common question is "Does the product protect against Back Orifice?". The answer is yes or no, depending upon your perspective. Our product is purely a network traffic scanner, not a file scanner like anti-virus. Therefore, it can block the Back Orifice traffic, preventing the hacker from ever using the trojan to control your machine. However, our product cannot "clean" it from your disk; for that you need an anti-virus. In other words, our product effectively disables Back Orifice from use by the hacker, but it does not actually remove it. This is why you need both traffic-scanners (like our product) and file-scanners (like anti-virus programs).

Trigger

There are no false-positives, this signature only triggers when the contents are conclusively Back Orifice. It is a full protocol-decode that is independent of either port or the password that was used to attempt to decrypt the packet.

 more information
Back Orifice  
In-depth set of information about Back Orifice and how it is used to break into systems.  
X-Force: 1218   win95-back-orifice
 
ISS Advisory 5   Cult of the Dead Cow Back Orifice Backdoor
 
ISS Advisory 8   Windows Backdoors Update
 
MS Bulletin: MS98-010   Information on the "Back Orifice" Program
 

 parametric information
typeThe Back Orifice command (PING, SYSINFO, PROCESSKILL, etc.)
passwd_hashThe hash of the password used to encrypt the Back Orifice traffic. While it is impossible to determine the original password used to generate this hash, knowing the hash can sometimes help differentiate between "script-kiddies" who use the default password (with hash of 0x7A69), and serious crackers who use a non-default password.
lengthThe length of the Back Orifice packet.
xidThe XID is often 0x0 for sweeping programs, or some other value for the BO Client. The former indicates the attacker has no specific interest in the target machine; the later is a good indication the intruder is interested in finding Back Orifice on that one machine.
vportThe victim's port number (the port the BO server is running at). A port of 31337 is the default port, and indicates activity by "script-kiddies", while other ports indicate a serious cracker is targeting the system.
iportThe intruder's port number. Different well-known BO clients use different port numbers.

 
Version appeared: 1.0
Privacy Policy |  Copyright Info