Saya pernah baca tentang BO (Back Orifice) di suatu Site tapi lupa nama
sitenya, tapi belum pernah mencoba.
----------------------------------------------------------------------------
-------------------------------
Back Orifice (BO) is a technically impressive remote administration tool
developed by the Cult Of The Dead Cow (cDc). Back Orifice is not a virus. It is
a self-contained, self-installing server which allows a remote administrator to
control and monitor computers running the Windows operating system over a
network.
To ease distribution, the server program is designed to be very configurable.
Its file name, size, registry value and the port it listens can vary. It can
also be attached to any other windows executable which will run normally after
installing the server.
Back Orifice server operates very quietly. Once installed, it will rerun
everytime the computer is started. It does not show up in the task list or
close-program list during running and will not interfere with other running
applications.
Back Orifice suite was publicly released on 3 August 1998. The BO suite
contains the server, a server configuration program, a console client, a GUI
client and other miscellaneous utilities.
What can Back Orifice do?
Back Orifice allows remote control almost all parts of the operating system,
including: file system, registry, system information, passwords, network and
processes.
The remote administrator can get detailed system information such as the
current user, CPU type, operating system version, memory usage and storage
device information. The remote administrator also has full access to the file
system control such as copy, rename, delete, view, search, compress and
decompress files. Inaddition, the remote administrator can also list, kill and
spawn applications on the targeted machine. Back Orifice also allows monitoring
of computer users by enabling the remote administrator to
capture screen shots and video or still frames from any video input device such
as a Quickcam.
How does it affects computer users?
Once illegally installed, Back Orifice server can let unauthorized people have
full access to a computer by way of a network link. A remote hacker can then
take over the control of the computer, steal passwords, log keystrokes, upload
or download files, spawn applications, etc, without the knowledge or consent of
the computer owner.
How to detect and remove Back Orifice?
There is no absolute method to manually detect an installed Back Orifice
server. Its file name, size, registry value and the port it listens can vary. A
carefully engineered copy of Back Orifice server can be very different from the
original one released by cDc.
Back Orifice is also difficult to detect it as it does not show up in the task
list, system tray or close-program list. Only specialize programs such as
Visual
C++ Process Viewer - PView.exe, Kernal Toy's Wintop.exe or MS Office's System
Info - MSInfo32.exe can reveal it. However a Back Orifice server can disguise
itself by having an important looking name such as system.exe. Inaddition, a
Back Orifice server can start running from many ways:
The autoexec.bat file ( with the line WIN [Drive:][Path\][BO_Server_name] ).
Win.ini file ( with the line run=[Drive:][Path\][BO_Server_name] ).
Windows startup folder shortcuts.
Windows registry such as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices
Generally, the original Back Orifice server is 124,928 bytes in length and is
iconless and has the name of " .exe" ( without the quotes ). It will appear
as a
blank line in the Windows\System folder under Windows Explorer program.
However, since it is running, it cannot be deleted. The only way to remove it
manually is to find out the way which the server is started, then remove its
startup method, reboot and delete the server executable.
For more information, refer to PC help page - Almost all the ways to find your
Back Orifice .
Is there any software to detect and remove Back Orifice?
Yes! SG1.net has released BOshield version 1.20. BOshield is a small efficient
scanner that operates like the anti-virus scanner VShield. It detects and
removes Back Orifice servers once they are started. It uses little memory and
consumes insignicant processing time. It can remove the original Back Orifice
1.20 server, BO server configured by the server configuration program supplied
with the Back Orifice suite and other modified BO servers such as the trojan
BOsniffer.
Other Back Orifice detection and removal tools are:
Chris Benson's BODetect.
Bardon Data Systems' Back Orifice Eliminator.
Antigen.
Toilet Paper.
Is there any way to prevent having Back Orifice?
Follow the safe computing practices:
Do not download/install software from unknown sources.
Do not run programs from email attachments.
Do not use pirated software.
Do not let untrusted personnels use your computer.
Relevant sites:
Refer to the following sites for more information:
1.Back Orifice site.
2.PC help page.
3.Press response.
Summary
Back Orifice is a remote administration tool. It is useful for remote
technical
support, employee monitoring and system administration in Windows network.
It is
not a virus. It does not modify the Windows operation system. It only uses
legitimate functions available in the Windows operation system.
However, it can be exploited by unauthorized employees, hackers and anyone to
take over the control of computer systems remotely. Unauthorized usage will
pose a threat to computer system and information security.
At 09:26 AM 6/18/99 +0700, you wrote:
>Halo.. saya baru ikutan milis ini dan ada pertanyaan yang mungkin awam untuk
>milis ini. Bagaimana menggunakan Bo (Back Orifice) disisi Server dan Client
