|
search / subscribe / upload / contact |
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
| RSS-Feed Depeschen |  |
|
|
||
|
||
Date: 1998-08-05
Micro/soft ferngesteuert: Back Orifice follow/up-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- updating 98.8.5/2 Micro/soft ferngesteuert: Back Orifice follow/up Sogar die coolen NT/Inschinöre rund um ntbugtraq.com machen sich ihre Nacht/gedanken, obwohl sie das win95-98/spezifische "Back Orifice" eigentlich nichts angeht. Vielleicht, weil das trojanische Client/Programm mit <125 Kb so winzig ist, dass es sich ziemlich leicht verstecken lässt? Vielleicht, weil BO auch hinter Firewalls ´funktioniert? Vieleicht, weil ein normaler Virenscanner darauf nicht reagiert? Vielleicht auch, weil eine NT/Version als Follow/up nicht ganz undenkbar ist? Wer BO suchet, wird es nächst toten Kühen finden: http://www.cultdeadcow.com -.-.- --.- -.-.- --.- -.-.- --.- Though not specific to NT security there has been much talk about Back Orifice lately. I've played around with it a bit and here is a way to find it and get rid of it. Default installation: Installs a 122k - 123k file called " .exe" in c:\windows\system with a modified date of 7/11/95. Changes HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Default from blank to " .exe". Transmits data on UDP Port 31337 - it's in the readme An attacker can modify these defaults to be anything they like but if you check the registry entries under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices and find one you are not familiar with (not the task scheduler, not a virus scanner, etc) that runs a 122k - 123k file (does not have to be an exe) from your c:\windows\system folder, it might be worth investigating further. The file could probably be padded to be a different size or the code could be modified to mutate its size to help hide it. There was some speculation in some of the media reports that a virus detection program might be able to detect the program in action. Network Associates McAfee Virus Scan did not set off any alarms. Maybe another virus scanner will view the program's actions as suspicious? Unless there are hidden "features" (still letting it run behind a firewall logging all traffic on the Back Orifice machine as a test to see if there is more to it) it is just a useful remote admin tool in a semi-GUI box that can be custom packaged to take advantage of existing Win9x security flaws. relayed by ways of http://www.ntbugtraq.com from jimst@enteract.com -.-.- --.- -.-.- --.- -.-.- --.- TIP Download free PGP 5.5.3i (Win95/NT & Mac) http://keyserver.ad.or.at/pgp/download/ -.-.- --.- -.-.- --.- -.-.- --.- - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- edited by published on: 1998-08-05 comments to office@quintessenz.at subscribe Newsletter - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- 
|
|
|
 |
CURRENTLY RUNNING |
q/Talk 1.Juli: The Danger of Software Users Don't Control
|
|
|
!WATCH OUT! |
bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien
|
|