Back Orifice ping
advICE :Intrusions : 2001506

Summary

Somebody has pinged the system for the "Back Orifice" trojan. Unless the system responds, it is unlikely that it has been compromised. Back Orifice pings are the most frequent attack seen on the Internet.

Details

Your machine has been scanned, but not targetted. This means the hacker is scanning thousands of machines on the Interent hoping to find one that has been compromised by Back Orifice. The hacker isn't necessarily going after you in particular.

Most compromises occur because the hacker posts an infected program or document on the Internet and hopes that people will run it. The hacker then scans the Internet for these compromised machines.

In other words, while this is a clear sign of an "attack", it isn't necessarily directed against your machine. Furthermore, even if your machine has been compromised by Back Orifice, the firewall subsystem will block access to it.

parametric information type The Back Orifice command (PING, SYSINFO, PROCESSKILL, etc.) passwd_hash The hash of the password used to encrypt the Back Orifice traffic. While it is impossible to determine the original password used to generate this hash, knowing the hash can sometimes help differentiate between "script-kiddies" who use the default password (with hash of 0x7A69), and serious crackers who use a non-default password. length The length of the Back Orifice packet. xid The XID is often 0x0 for sweeping programs, or some other value for the BO Client. The former indicates the attacker has no specific interest in the target machine; the later is a good indication the intruder is interested in finding Back Orifice on that one machine. vport The victim's port number (the port the BO server is running at). A port of 31337 is the default port, and indicates activity by "script-kiddies", while other ports indicate a serious cracker is targeting the system. iport The intruder's port number. Different well-known BO clients use different port numbers.

 
Version appeared: