BackOrifice on Linux Webserver? (Centos)

Discussion in 'malware problems & news' started by Matty1985, Mar 23, 2010.

Thread Status:
Not open for further replies.
  1. Matty1985

    Matty1985 Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    3
    I previously thought Back Orifice only infected computers running windows, however I just ran Nmap against my server and came up with these results:

    631/tcp closed ipp
    80/udp open|filtered http
    111/udp open|filtered rpcbind
    135/udp open|filtered msrpc
    137/udp open|filtered netbios-ns
    138/udp open|filtered netbios-dgm
    139/udp open|filtered netbios-ssn
    161/udp open|filtered snmp
    162/udp open|filtered snmptrap
    445/udp open|filtered microsoft-ds
    517/udp open|filtered talk
    518/udp open|filtered ntalk
    631/udp open|filtered ipp
    1025/udp open|filtered blackjack
    1434/udp open|filtered ms-sql-m
    1900/udp open|filtered upnp
    4444/udp open|filtered krb524
    5000/udp open|filtered upnp
    5060/udp open|filtered sip
    31337/udp open|filtered BackOrifice

    I'm neither sure what to make of it, or how to remove it, I'm not an expert at linux and I have full SSH root access.

    Thanks
     
  2. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    The NMAP results some times depend on how your box's firewall reacts on the requests of an udp scan. So this could be a false positive.
     
  3. Matty1985

    Matty1985 Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    3
    So what could I do to make sure? I find it unusual that anything should be on port 31337 to even make a response.
     
  4. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    BackOrifice was originally coded for both Windows and UNIX by the CDC. Currently one can find it on Sourceforge as BO2K.

    The original BO was way ahead of its time and is also easily removed. If you need specific help to do so, go to the BO2k forum at: http://sourceforge.net/apps/phpbb/bo2k/

    Hope this helped.
     
    Last edited: Mar 24, 2010
  5. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Nmap is just reporting what service usually uses that port -- it is not saying that BackOrifice is installed on your machine. It could by anything using that port. Therefore you need to find out what services are using what ports.

    So, I would run netstat. First get a root shell (or use sudo) and then:

    Code:
    netstat -tulnpv
    Post output here.
     
  7. Matty1985

    Matty1985 Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    3
    Thanks, I'll have a read of those guys.

    And Chronomatic, here is the info you wanted.

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2586/mysqld
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1804/portmap
    tcp 0 0 0.0.0.0:753 0.0.0.0:* LISTEN 1843/rpc.statd
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2200/proftpd: (acce
    tcp 0 0 96.31.MY.IP:53 0.0.0.0:* LISTEN 1776/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1776/named
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2100/cupsd
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2176/master
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1776/named
    tcp 0 0 :::80 :::* LISTEN 2428/httpd
    tcp 0 0 :::22 :::* LISTEN 2087/sshd
    tcp 0 0 ::1:953 :::* LISTEN 1776/named
    tcp 0 0 :::443 :::* LISTEN 2428/httpd
    udp 0 0 96.31.MY.IP:53 0.0.0.0:* 1776/named
    udp 0 0 127.0.0.1:53 0.0.0.0:* 1776/named
    udp 0 0 0.0.0.0:39105 0.0.0.0:* 2331/avahi-daemon:
    udp 0 0 0.0.0.0:5353 0.0.0.0:* 2331/avahi-daemon:
    udp 0 0 0.0.0.0:747 0.0.0.0:* 1843/rpc.statd
    udp 0 0 0.0.0.0:750 0.0.0.0:* 1843/rpc.statd
    udp 0 0 0.0.0.0:111 0.0.0.0:* 1804/portmap
    udp 0 0 0.0.0.0:631 0.0.0.0:* 2100/cupsd
    udp 0 0 :::46208 :::* 2331/avahi-daemon:
    udp 0 0 :::5353 :::* 2331/avahi-daemon:
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    @matty1985

    Give this a try instead.
    Code:
    netstat -tunapv
    Replaced the l with an a. a is for all, while l is for servers only.
    Your results didn't show what is listening on port 31337 a.k.a. elite.
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Here is another port scan with results of a linux box/server.
    [urlhttps://www.securitymetrics.com/portscan.adp][/url]

    Port Scan Results for: 1xx.1x.1xx.1x

    Program: FTP
    Port: 21
    Status: Stealth
    Explanation: File Transfer Protocol (FTP) allows users to transfer files to other computers over the Internet. A poorly configured FTP server allows hackers to copy your files, install trojan applications on your computer or obtain unauthorized remote command prompt access to your computer.

    Program: SSH
    Port: 22
    Status: Stealth
    Explanation: Secure Shell (SSH) uses encryption to secure information sent over a network. While it typically improves security there are numerous problems with older versions of SSH which may allow brute force attacks.

    Program: Telnet
    Port: 23
    Status: Stealth
    Explanation: Telnet allows a remote user to access your computer and perform commands. It is suspectible to brute force attacks and clear text password sniffing. A computer is misconfigured if this port is open. Use SSH instead.

    Program: SMTP
    Port: 25
    Status: Stealth
    Explanation: SMTP is used to send email. There are numerous vulnerabilities with SMTP such as unauthorized hard disk file access, username verification or SPAM email redirection.

    Program: DNS
    Port: 53
    Status: Stealth
    Explanation: Domain Name Services are used to tell other computers what your IP address is. There are several exploits associated with this service.

    Program: Finger
    Port: 79
    Status: Stealth
    Explanation: Finger provides information such as usernames and usage information. Turn this service off or block this port to stop others from gaining valuable system information.

    Program: HTTP
    Port: 80
    Status: Stealth
    Explanation: World Wide Web services allow you to publish web pages to the Internet. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

    Program: POP3
    Port: 110
    Status: Stealth
    Explanation: Post Office Protocol(POP) software downloads email. Hackers may use weaknesses in POP to intercept your email, create fictitious mail accounts or gain remote access to your computer.

    Program: NetBIOS
    Port: 139
    Status: Stealth
    Explanation: NetBIOS is used by Microsoft Windows and some UNIX/Linux programs to share files. If your hard disk is shared improperly (write access to everyone without authentication) you may be giving the world access to your hard disk. (Trojan files can be copied to your computer.) Make sure this port is closed and your hard drive shares are configured properly.

    Program: SNMP
    Port: 161
    Status: Stealth
    Explanation: Simple Network Management Protocol (SNMP) port may allow a hacker to obtain information about your computer. There are also security vulnerabilities associated with this port. You should turn off this service if you don't need it.

    Program: SSL
    Port: 443
    Status: Stealth
    Explanation: HTTP servers use Secure Sockets Layer (SSL) to encrypt data from web browsers. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

    Program: MS DS
    Port: 445
    Status: Stealth
    Explanation: Microsoft Directory Services is used by Microsoft Networks for security authentication. Typically this port should not be exposed to the Internet.

    Program: Socks Proxy
    Port: 1080
    Status: Stealth
    Explanation: An unsecured SOCKS Proxy may disqualify you from IRC server access. Make sure this port is closed.

    Program: KaZaA
    Port: 1214
    Status: Stealth
    Explanation: KaZaA is a popular peer-to-peer file-sharing program with many known vulnerabilities and at least one known worm (Benjamin) targeting it.

    Program: UPnP
    Port: 5000
    Status: Stealth
    Explanation: Universal Plug and Play allows your computer to automatically integrate with other network devices. There are known security vulnerabilities associated with this service.

    Program: HTTP Proxy
    Port: 8080
    Status: Stealth
    Explanation: HTTP Proxy provides a way for a hacker to pretend to be your computer. Others who may have been hacked may see your computer address and want you to justify why you hacked them.


    Trojan Port Scan Results for: 1xx.1x.1xx.1x

    Program: Trojan
    Port: 6776
    Trojans Common to Port: 2000 Cracks, BackDoor-G, SubSeven, VP Killer

    Program: Trojan
    Port: 7000
    Trojans Common to Port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven, SubSeven 2.1 Gold

    Program: Trojan
    Port: 12345
    Trojans Common to Port: Ashley, Cron/Crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill

    Program: Trojan
    Port: 20034
    Trojans Common to Port: NetBus 2.0 Pro, NetBus 2.0 Pro Hidden, NetRex, Whack Job

    Program: Trojan
    Port: 27374
    Trojans Common to Port: Bad Blood, Ramen, Seeker, SubSeven, SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven Muie, Ttfloader

    Program: Trojan
    Port: 31337
    Trojans Common to Port: Back Fire, Back Orifice 1.20 patches, Back Orifice (Lm), Back Orifice Russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, Cron/Crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini
     
Loading...
Thread Status:
Not open for further replies.