BackOrifice on Linux Webserver? (Centos)

I previously thought Back Orifice only infected computers running windows, however I just ran Nmap against my server and came up with these results:

631/tcp closed ipp
80/udp open|filtered http
111/udp open|filtered rpcbind
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
517/udp open|filtered talk
518/udp open|filtered ntalk
631/udp open|filtered ipp
1025/udp open|filtered blackjack
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4444/udp open|filtered krb524
5000/udp open|filtered upnp
5060/udp open|filtered sip
31337/udp open|filtered BackOrifice

I'm neither sure what to make of it, or how to remove it, I'm not an expert at linux and I have full SSH root access.

Thanks

 

The NMAP results some times depend on how your box's firewall reacts on the requests of an udp scan. So this could be a false positive.

 

So what could I do to make sure? I find it unusual that anything should be on port 31337 to even make a response.

 

BackOrifice was originally coded for both Windows and UNIX by the CDC. Currently one can find it on Sourceforge as BO2K.

The original BO was way ahead of its time and is also easily removed. If you need specific help to do so, go to the BO2k forum at: http://sourceforge.net/apps/phpbb/bo2k/

Hope this helped.

 

An example...read here:
http://shorewall.net/FAQ.htm#faq4a

 

Nmap is just reporting what service usually uses that port -- it is not saying that BackOrifice is installed on your machine. It could by anything using that port. Therefore you need to find out what services are using what ports.

So, I would run netstat. First get a root shell (or use sudo) and then:

Code:

netstat -tulnpv

Post output here.

 

Thanks, I'll have a read of those guys.

And Chronomatic, here is the info you wanted.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2586/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1804/portmap
tcp 0 0 0.0.0.0:753 0.0.0.0:* LISTEN 1843/rpc.statd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2200/proftpd: (acce
tcp 0 0 96.31.MY.IP:53 0.0.0.0:* LISTEN 1776/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1776/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2100/cupsd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2176/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1776/named
tcp 0 0 :::80 :::* LISTEN 2428/httpd
tcp 0 0 :::22 :::* LISTEN 2087/sshd
tcp 0 0 ::1:953 :::* LISTEN 1776/named
tcp 0 0 :::443 :::* LISTEN 2428/httpd
udp 0 0 96.31.MY.IP:53 0.0.0.0:* 1776/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1776/named
udp 0 0 0.0.0.0:39105 0.0.0.0:* 2331/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2331/avahi-daemon:
udp 0 0 0.0.0.0:747 0.0.0.0:* 1843/rpc.statd
udp 0 0 0.0.0.0:750 0.0.0.0:* 1843/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 1804/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2100/cupsd
udp 0 0 :::46208 :::* 2331/avahi-daemon:
udp 0 0 :::5353 :::* 2331/avahi-daemon:

 

@matty1985

Give this a try instead.

Code:

netstat -tunapv

Replaced the l with an a. a is for all, while l is for servers only.
Your results didn't show what is listening on port 31337 a.k.a. elite.

 

Here is another port scan with results of a linux box/server.
[urlhttps://www.securitymetrics.com/portscan.adp][/url]

Port Scan Results for: 1xx.1x.1xx.1x

Program: FTP
Port: 21
Status: Stealth
Explanation: File Transfer Protocol (FTP) allows users to transfer files to other computers over the Internet. A poorly configured FTP server allows hackers to copy your files, install trojan applications on your computer or obtain unauthorized remote command prompt access to your computer.

Program: SSH
Port: 22
Status: Stealth
Explanation: Secure Shell (SSH) uses encryption to secure information sent over a network. While it typically improves security there are numerous problems with older versions of SSH which may allow brute force attacks.

Program: Telnet
Port: 23
Status: Stealth
Explanation: Telnet allows a remote user to access your computer and perform commands. It is suspectible to brute force attacks and clear text password sniffing. A computer is misconfigured if this port is open. Use SSH instead.

Program: SMTP
Port: 25
Status: Stealth
Explanation: SMTP is used to send email. There are numerous vulnerabilities with SMTP such as unauthorized hard disk file access, username verification or SPAM email redirection.

Program: DNS
Port: 53
Status: Stealth
Explanation: Domain Name Services are used to tell other computers what your IP address is. There are several exploits associated with this service.

Program: Finger
Port: 79
Status: Stealth
Explanation: Finger provides information such as usernames and usage information. Turn this service off or block this port to stop others from gaining valuable system information.

Program: HTTP
Port: 80
Status: Stealth
Explanation: World Wide Web services allow you to publish web pages to the Internet. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

Program: POP3
Port: 110
Status: Stealth
Explanation: Post Office Protocol(POP) software downloads email. Hackers may use weaknesses in POP to intercept your email, create fictitious mail accounts or gain remote access to your computer.

Program: NetBIOS
Port: 139
Status: Stealth
Explanation: NetBIOS is used by Microsoft Windows and some UNIX/Linux programs to share files. If your hard disk is shared improperly (write access to everyone without authentication) you may be giving the world access to your hard disk. (Trojan files can be copied to your computer.) Make sure this port is closed and your hard drive shares are configured properly.

Program: SNMP
Port: 161
Status: Stealth
Explanation: Simple Network Management Protocol (SNMP) port may allow a hacker to obtain information about your computer. There are also security vulnerabilities associated with this port. You should turn off this service if you don't need it.

Program: SSL
Port: 443
Status: Stealth
Explanation: HTTP servers use Secure Sockets Layer (SSL) to encrypt data from web browsers. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

Program: MS DS
Port: 445
Status: Stealth
Explanation: Microsoft Directory Services is used by Microsoft Networks for security authentication. Typically this port should not be exposed to the Internet.

Program: Socks Proxy
Port: 1080
Status: Stealth
Explanation: An unsecured SOCKS Proxy may disqualify you from IRC server access. Make sure this port is closed.

Program: KaZaA
Port: 1214
Status: Stealth
Explanation: KaZaA is a popular peer-to-peer file-sharing program with many known vulnerabilities and at least one known worm (Benjamin) targeting it.

Program: UPnP
Port: 5000
Status: Stealth
Explanation: Universal Plug and Play allows your computer to automatically integrate with other network devices. There are known security vulnerabilities associated with this service.

Program: HTTP Proxy
Port: 8080
Status: Stealth
Explanation: HTTP Proxy provides a way for a hacker to pretend to be your computer. Others who may have been hacked may see your computer address and want you to justify why you hacked them.


Trojan Port Scan Results for: 1xx.1x.1xx.1x

Program: Trojan
Port: 6776
Trojans Common to Port: 2000 Cracks, BackDoor-G, SubSeven, VP Killer

Program: Trojan
Port: 7000
Trojans Common to Port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven, SubSeven 2.1 Gold

Program: Trojan
Port: 12345
Trojans Common to Port: Ashley, Cron/Crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill

Program: Trojan
Port: 20034
Trojans Common to Port: NetBus 2.0 Pro, NetBus 2.0 Pro Hidden, NetRex, Whack Job

Program: Trojan
Port: 27374
Trojans Common to Port: Bad Blood, Ramen, Seeker, SubSeven, SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven Muie, Ttfloader

Program: Trojan
Port: 31337
Trojans Common to Port: Back Fire, Back Orifice 1.20 patches, Back Orifice (Lm), Back Orifice Russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, Cron/Crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini