RE: Outpost firewall Pro 2.0.238.3121(290) has Back Orifice troja n program

[Jeff McLaughlin <JMclaughlin () springsgov com>]

If I perform a UDP scan of my Raptor firewall, it will return 31337 as open
and identify it as Back Orifice (also happens to Trinoo).  At first this got
my attention and I physically verified that BackOrifice was not present on
the box.  

What I believe it tells me is NMAP got a response from port 31337 which is
typically (not always) used by Back Orifice.  Try a UDP NMAP scan of the
firewall and see if it returns the same result.  Also, look at
http://www.hackfix.org/bofix/fix2.shtml to verify (or not) that backorifice
is on the system.



Hth,
 
Jeff McLaughlin

-----Original Message-----
From: Mr Babak Memari [mailto:memari () myrealbox com] 
Sent: Tuesday, February 03, 2004 5:26 AM
To: security-basics () securityfocus com
Subject: Outpost firewall Pro 2.0.238.3121(290) has Back Orifice trojan
program

Hi
I have found  this file below in Outpost firewall Pro 2.0.238.3121(290) :
C:\Program Files\Agnitum\Outpost Firewall\Service.lst

After opening it with Notepad I found a trace of "Back Orifice trojan 
program"  :

[udp]
7,ECHO,Echo
9,Discard,Discard
13,Daytime,Daytime
17,QOTD,Quote of the Day
19,Chargen,Character Generator
37,Time,Timeserver
53,DNS,Domain name service
67,BOOTPS,Bootstrap Protocol Server
68,BOOTPC,Bootstrap Protocol Client
137,NETBIOS_NS,NETBIOS Name Service
138,NETBIOS_DGM,NETBIOS Datagram Service
161,SNMP,SNMP (Simple Network Management Protocol)
162,SNMPTRAP,SNMPTRAP (Simple Network Management Protocol)
4000,ICQ,ICQ chat program
31337,BackOrifice,Back Orifice trojan program      <<<=====NOTE Please **


What is your Idea? I have downloaded it from agnitum.com  .

-----
Babak
www.voidspace.org.uk/babak




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------