[Snort-sigs] Description for BACKDOOR Back Orifice access

Andrew Hintz (Drew) mail.drew at ...486...
Tue Apr 2 04:07:49 EST 2002

# $Id$

BACKDOOR Back Orifice access 
Someone, most likely an attacker, is accessing Back Orifice.  Back Orifice is a remote administration and backdoor program for Windows.
The attacker already has complete control of the machine.
Detailed Information:
Back Orifice is one of the most popular backdoors for Windows.  It gives an attacker complete control of the infected computer.
Attack Scenarios:
The attacker has complete control over the infected computer.  The attacker can do things such as read or change any files on the computer,  attack other computers using the infected computer, and execute any program on the computer.

In order to install Back Orifice on the infected machine, the attacker either used a different vulnerability to initially take control of the computer, or tricked a user of the computer to unknowingly install Back Orifice.
Ease of Attack:
False Positives:
Very low probability, unless you have intentionally installed Back Orifice.
False Negatives:
There are several optional encryption plugins for Back Orifice which will prevent IDSs from detecting the use of Back Orifice.
Corrective Action:
Unless Back Orifice has been intentionally installed, it should be removed from the afflicted computer.  For instructions on removing it, visit http://www.irchelp.org/irchelp/security/bo.html
Andrew Hintz ( http://guh.nu )
Additional References:
Details on removing Back Orifice: http://www.irchelp.org/irchelp/security/bo.html
Back Orifice website: http://bo2k.sourceforge.net/



--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--

More information about the Snort-sigs mailing list