View Full Version : "back orifice" concern
08-05-2001, 08:42 PM
i have in place an updated version of norton internet firewall. recently i have be getting blocked messages that "back orifice 2000" is trying to access my pc. I can get the ip of the computer but i am very concerned about the frequency of these attacks. How do i solve this prob?
08-17-2001, 04:30 AM
First, open RegEdit from Run on the Start Menu, and branch down to the following :
Look for a value on the right hand windows which holds no data - i.e ""
If you see a key with just two speech marks (no value), then that is the entry which is launching the Back Orifice host program... nasty!
You might even see a weird entry - somthing which doesn't look like a legitimate program. This would be because the person who infected your machine has "clevery" renamed the program... perhaps to ensure you were fooled into executing the installation.
That's right, you installed the Trojan.
Do you remember recieving a file which did nothing when you tried to open it? If so, that was the Back Orifice installer. Somtimes people rename the file to somthing like " pic.jpg ", so the icon for it on your computer makes you think it's a picture.
What you need to do, is try and delete the entry from the above registry key. But more than likely you will be informed that you cannot delete it.
But, updated Virus Checkers should be able to detect it and remove it from your system. So try that.
Be careful in future about what you open, especially through e-mail.
If you can remember trying to open a file that seemed to do nothing at all, hopfully you can remember where you got it from. Hopfully then it was somone you already know, then you can go and push their face(s) into the back their skull!
Good luck. But get rid of it pronto.
08-17-2001, 04:47 AM
I don't know how the norton firewall works
I use Zonealarm it gives you a list of all the program that are connected and talking to the net plus if a new one pops up it ask if you want to allow it to connect I also check my other users desktop just in case they get something added plus if they do I would see it in zone alarm on my desktop cause the list is common to all users
Here is page that says it can infect runservice too
LOL programmer can hide it where ever he/she wants
Click Here (http://support.microsoft.com/support/kb/articles/q237/2/80.asp)
This Is just my opinion
So if it stinks wait for another one
Cause I'm no expert<P ID="edit"><FONT class="small">Edited by coolsights2000 on 08/17/01 00:27.</FONT></P>
08-17-2001, 01:03 PM
"...have be getting blocked messages that "back orifice 2000" is trying to access my pc..."
this is a trojan master program testing to see if it can connect to a trojan client on your machine. If your machine is not infected, then there will be no connection established. But by answering to a connection request, the trojan master will know that there is an active machine at the used IP address and may remember to try later again. By using the firewall software, the trojan master will not get back a reply (a stealthed port on the TCP/IP protocol stack) and must assume that there is no computer at that address. The warning by the firewall is to alert you to the fact, that someone is interested in your machine. If you get several intrusion attempt warnings within short time, your machine may be under hacker attack and you best disconnet from the net temporarily.
You cannot prevent your machine from beeing tested from outside. It is the same to the telephone: dial any number and see if somebody picks up.
As long as you also have some antivirus software to detect a trojan program, there should be no great danger. But don't let the firewall configure rules automatically in the background. Let the firewall ask you for every attempt of a new program to access the net from your machine. Then you may have a chance to trap a trojan client on your machine, that bypassed the antivirus scan.
Regards - Richard
if you have a virus checker use it but i have tested NIS and you do get alot of false messages on the wrong ports usually it is just a web page using that particular port on your computer Also what is the exact port number
If you get to worried try using sygate firewall its free from cnet and you get hardly any false alerts