TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
David,
I am not aware of any resources in detail, although i find the help on the
signatures are sufficient in most cases.
In this particalur event i would suggest to just telnet to port 31337 on any
machine that is in the segment of the monitored network and see if the
BackOrifice event pops up.
If it doesn't you could use netcat to listen on a machine in that segment
and let it listen on port 31337 to see if it will pop up when a session is
made.
If again it doesn't you can start sending data over the connection to see
what will trigger the event, but i guess that would be a little bit
far-fetched ;o)
Bye,
Jeroen.
-----Oorspronkelijk bericht-----
Van: Yong, David [mailto:[EMAIL PROTECTED]]
Verzonden: vrijdag 20 juli 2001 16:18
Aan: [EMAIL PROTECTED]
Onderwerp: Question about Back Orifice
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
When I get a "BackOrifice" alert on RealSecure, what events occur that show
this alert? Is it just looking for connections to port 31337? Is it smart
enough to actually look into the traffic and see something specific to Back
Orifice, or does it just look for a tcp connection on that port? It would
help a lot if ISS included more information on the signatures... Maybe a
resource exists on what EXACTLY is being found when an alert is sounded, but
I am unaware of it?
David Yong
(310) 812-3994
