RE: Need info about BO2K

Wed, 4 Aug 1999 10:38:53 -0700 

Back Orifice traffic is UDP port 31337
Log and block incoming traffic destined for this port

BO2K is not as easy to detect, as it can be configured to use TCP or UDP as
the transport and can be configured for any port.  You actually have to look
at traffic on the wire.

from what I remember all BO2k packets (TCP/UDP) the length field is 4 bytes
and the data payload is matched by the content of length, so knowing this
you can sniff your wire for the traffic.

There are things that will do this for you, such as ISS Internet Scanner and
Real Secure.

Sam James
Sys Admin
BancTec West

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Tompkins, William A
> Sent: Wednesday, August 04, 1999 6:58 AM
> To: [EMAIL PROTECTED]
> Subject: Need info about BO2K
>
>
> Having been 'lurking' on this list for a while (and benefiting from it), I
> need some help from this list's archives (I think)...  reference Back
> Orifice 2000
> I noted the earlier thread on BO2K, but didn't follow it closely.  My boss
> wants a more detailed recommendation regarding BO2K.
>   After reading the following recommendation in SANS NT digest : "network
> administrators need to configure firewalls to detect Back Orifice traffic,
> to attempt to stop it at the border." . . .   I went to my mailbox for the
> method to get into this list's archives.  Unfortunately, in doing mailbox
> cleanup, I deleted the instructions for "Firewalls List"   Can someone
> forward the instructions to me?
> At  this time we do not have "firewalls"  and I need to determine
> what to do
> next (besides continuing to bemoan the absolute need for
> firewalls here).
>
> Regards,
>
> William Tompkins, CISSP, CRP
> Manager of Information Security
> Univ. of Tx Health Science Center at San Antonio
> 210-567-2308 (office)
> 512-589-6306 (cellular)
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to