Admins,
BackOrifice probes are worth invesitigating for a few reasons,
with the end result to possibly terminate access to the customer
if they can't resolve the issue.
Here's some reasons:
1) A host infected with BackOrifice can have its contents
vandalized, so the user so comprimised must be alerted ASAP
2) That host can be used as a launch pad for futher attacks,
making the orginal hacker all that much harder to track,
when further damamge is done.
3) If the host is not infected, but a wannabe hacker at play,
you should clamp down hard now. You could look at BO as
an entry level hacker tool, & you should act to curtail
these kinds of activities before they get out of hand.
Don't wait for it to become a real problem.
An ounce of prevention...
-- Joshua
___________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NODEWORKS - web link monitoring Long Beach, CA 1-562-432-2469
http://www.nodeworks.com http://www.chamas.com
Chris Knox wrote:
>
> This response is unacceptable.
>
> It seems to me that if my neighbor complains that my kid is trying
> to find out whether he locks his doors at night, then I have a
> responsibility to take appropriate measures. Likewise, if I were to
> find that one of my users were probing the security at clear.net.nz,
> they could reasonably expect me to take some action (and I'm pretty
> sure that it would be a high priority). At the very least it would
> seem courteous to alert the user that something is amiss; as I
> understand it, BO can be running and the user can be unaware of it.
>
> I don't know what New Zealand's laws regarding computer security
> are, however this is an international company with strong presence
> in Australia. I'm sure that we could learn something about them if
> necessary.
>
> If this probing of my network from clear.net.nz continues, I will be
> forced to explore my options, including denying all access from your
> network to mine.
>
> Chris Knox
> Security Administrator
> Hypercom Corporation
>
> According to CLEAR Net Abuse Team:
> > From [EMAIL PROTECTED] Thu Jul 1 20:10:05 1999
> > Date: Fri, 02 Jul 1999 16:09:43 +1300
> > To: Chris Knox <[EMAIL PROTECTED]>
> > From: CLEAR Net Abuse Team <[EMAIL PROTECTED]>
> > Subject: Back Orifice (was Re: Possible Scan Originating from your
> > domain)
> >
> >
> > Thanks for reporting incident of Back Orifice scans that may have
> > emanated from our network.
> >
> >
> > As with any other kind of network based attack, we maintain that it is
> > the responsibility of the end user or their system administrator to
> > maintain security and integrity of their systems.
> >
> >
> > If your firewalls discarded BO scans, then they are doing their job. We
> > don't consider it worth investigating.
> >
> >
> > Sincerely,
> >
> > T Murugesh
> >
> > Clear Net Abuse Team
> >
> >
> > At 04:56 PM 30/6/99 -0700, you wrote:
> >
> > >
> >
> > >While dredging my firewall logs I discovered the appended lines. The
> > >destination address (dstaddr=) is my web server, www.hypercom.com. I
> > >can't say that some is up to no good, but it does appear that someone
> > >is rattling my doorknob. I'd appreciate your investigating.
> > >
> > >All times are Mountain Standard Time, GMT -7.
> >
> > >
> >
> > >Jun 28 19:24:04 firewall kernel: securityalert: no match found in
> > forward screen: TCP if=eb2 srcaddr=203.167.198.37 srcport=80
> > dstaddr=208.248.230.4 dstport=1198
> >
> > >Jun 28 19:24:05 firewall kernel: securityalert: no match found in
> > forward screen: TCP if=eb2 srcaddr=203.167.198.37 srcport=80
> > dstaddr=208.248.230.4 dstport=1200
> >
> > >Jun 28 19:24:08 firewall kernel: securityalert: no match found in
> > forward screen: TCP if=eb2 srcaddr=203.167.198.37 srcport=80
> > dstaddr=208.248.230.4 dstport=1201
> >
> [etc.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
