Back Orifice?...sounds like BS to me...opinions? - Security

This is a discussion on Back Orifice?...sounds like BS to me...opinions? - Security ; this was posted in the ubuntu ng >Someone is blindly ignorant. I just haven't figured out whom, and on >which side of the debate. However, I tried an experiment on my trusty, >if >not too dusty Acer Laptop with Ubuntu ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Back Orifice?...sounds like BS to me...opinions?

  1. Back Orifice?...sounds like BS to me...opinions?

    this was posted in the ubuntu ng


    >Someone is blindly ignorant. I just haven't figured out whom, and on
    >which side of the debate. However, I tried an experiment on my trusty,
    >if
    >not too dusty Acer Laptop with Ubuntu 7.10: I shut off the Firestarter
    >firewall, and cruised some questionable links for about a week. Guess
    >what? I picked-up an exploit on my LINUX system. When I turned the
    >firewall back on, I observed the following:


    >Via the application, "TOR," I picked-up a VERIFIABLE, ACTIVE Back Orifice
    >exploit, operating on ports 9001, SSH 443, 31337 and 54321 - JUST like it
    >does in Windoze, from IP addresses 87.230.93.14 (Germany), 149.9.0.57
    >(Washington, D.C.), 83.92.151.242 (Denmark) and 88.191.37.194 (Paris,
    >FR),
    >and ALL of these are "filtered" addresses.


    >Curiously, I don't recall installing any TOR applications on my system,
    >as
    >I don't do anonymous. So, I blocked the offending IP addresses and ports
    >in Firestarter, and then removed TOR and its dependencies via root
    >terminal, and the problem went away.


    >To console the AV detractors, though, daily runs of Avast! DID NOT detect
    >or disable the exploit.


    >So, where do we go from here?


  2. Re: Back Orifice?...sounds like BS to me...opinions?

    On Sat, 15 Dec 2007, in the Usenet newsgroup comp.os.linux.security, in article
    , mr.b wrote:

    >this was posted in the ubuntu ng


    in an article

    Date: Fri, 14 Dec 2007 23:49:41 -0600
    From: Night0wl
    Subject: A story of a CURRENT LINUX EXPLOIT...
    Message-ID: <47636af5$0$4967$4c368faf@roadrunner.com>

    which is an off-shoot of the on-going thread "avast!". Really brief
    point - that "avast!" thread is highly spiced with troll droppings.
    The main topic is the presence/absence of Linux viruses. As with
    most trolls, this thread is full of opinions, razor edged definitions,
    and the inability of any of the debaters to consider any part of the
    other sides arguments. There's also a lot of name calling, which
    adds nothing to the discussion.

    OK, if you are not subscribed to the Bugtraq mailing list (and if you
    are serious about computer security, you probably should be) as you're
    posting from supernews using pan, point your newsreader at the group
    'mailing.unix.bugtraq' and/or 'muc.lists.bugtraq' which are moderately
    active (~400 articles/month) mirrors of the Bugtraq mailing list.
    Search through that, and see how many articles mention Linux (answer -
    quite a few, nearly all announcing important security updates for
    Debian, Gentoo, Mandriva, and Ubuntu distributions). Then look
    through the articles and notice how many of the articles contain the
    word 'Linux' and 'virus'. Two over the last month:

    Subject: Cisco Security Advisory: Cisco Security Agent for Windows
    System Driver Remote Buffer Overflow Vulnerability

    from Cisco, mentioning that this does NOT apply to Linux, and

    Subject: Filesystem access in DOSBox 0.72

    which says it's possible to get a local exploit, but that the
    application author disagrees.

    Of course, you could always wander over to your favorite search engine
    and look for the words 'Linux' and 'virus' in the past year.

    Bottom line - stay with packages supplied _by_ your distribution (in
    the specific case of Ubuntu, you can also use "official" Debian
    packages as well). If you can't find a specific application and/or
    version there, search first at other distributions (and use alien
    to convert it to a Debian package) or grab the source tarball from
    the distribution and compile that. Second choice would be to go to
    the application author's site and grab the source there. The LAST
    choice would be to grab the source from some other site, review it,
    and then compile. Grabbing a pre-compiled binary from some site
    you've never heard of before puts you into the same risk area that
    the average windoze luser runs in, with a somewhat similar chance
    of finding malware, which is to say "not a good idea".

    Running a non-windoze operating system does not make you mal-ware
    proof, or even mal-ware resistant. A recent article in Bugtraq
    mentions a trojan installed on OSX - an operating system loosely
    based on FreeBSD. The trojan gets installed when the luser visits
    some pr0n site, and a pop-up message tells him that he must install
    a plug-in to view the pr0n. The id10t happily does so, providing the
    root password because the trojan needs root privileges. Are you going
    to blame the O/S for that trojan? The web browser? Or the fool who
    visits the pr0n site because his computer skills match his personal
    skills, and there isn't a chance in he!! that a member of the
    appropriate sex would ever find him worth more than a glance? Social
    Engineering - Because there is no patch for human stupidity.

    Old guy

  3. Re: Back Orifice?...sounds like BS to me...opinions?

    "mr.b" writes:

    > this was posted in the ubuntu ng


    It's a classic

    >>Someone is blindly ignorant. I just haven't figured out whom, and on
    >>which side of the debate. However, I tried an experiment on my trusty,
    >>if
    >>not too dusty Acer Laptop with Ubuntu 7.10: I shut off the Firestarter
    >>firewall, and cruised some questionable links for about a week. Guess
    >>what? I picked-up an exploit on my LINUX system. When I turned the
    >>firewall back on, I observed the following:



    >>Via the application, "TOR," I picked-up a VERIFIABLE, ACTIVE Back Orifice
    >>exploit, operating on ports 9001, SSH 443, 31337 and 54321 - JUST like it
    >>does in Windoze, from IP addresses 87.230.93.14 (Germany), 149.9.0.57
    >>(Washington, D.C.), 83.92.151.242 (Denmark) and 88.191.37.194 (Paris,
    >>FR),
    >>and ALL of these are "filtered" addresses.


    A BO "exploit"? BO is/was a Windows remote control tool/trojan
    (depending on who you'd ask), that included both Windows and Linux
    *clients* (the part that used the trojan). So this guy likely has the
    first ported-to-Linux BO install, amazing. (Or he's looking to drop
    the image of Linux security down to the level of Windows using tall
    tales like this one.)


    >>Curiously, I don't recall installing any TOR applications on my system,
    >>as
    >>I don't do anonymous. So, I blocked the offending IP addresses and ports
    >>in Firestarter, and then removed TOR and its dependencies via root
    >>terminal, and the problem went away.


    Funny, I use Tor now and then but it never "infected" me. Likely
    someone is capitalizing on the Windows trojan, also called "Tor" by
    some AV-vendors, nothing to do with privacy/anonymous Tor, to create a
    healthy dose of FUD.

    >>To console the AV detractors, though, daily runs of Avast! DID NOT detect
    >>or disable the exploit.


    An an exploit or a remote control tool?

    >>So, where do we go from here?


    To an certain Ubuntu forum to smack a certain someone with a clue-stick




    --
    [** America, the police state **]
    Whoooose! What's that noise? Why, it's US citizen's
    rights, going down the toilet with Bush flushing.
    http://www.wired.com/politics/securi...007/08/wiretap
    http://www.hermes-press.com/police_state.htm

  4. Re: Back Orifice?...sounds like BS to me...opinions?

    mr.b wrote:

    > this was posted in the ubuntu ng
    >
    >


    You failed to post a link or URL...

    >>Someone is blindly ignorant. I just haven't figured out whom, and on
    >>which side of the debate. However, I tried an experiment on my trusty,
    >>if
    >>not too dusty Acer Laptop with Ubuntu 7.10: I shut off the Firestarter
    >>firewall, and cruised some questionable links for about a week. Guess
    >>what? I picked-up an exploit on my LINUX system. When I turned the
    >>firewall back on, I observed the following:

    >
    >>Via the application, "TOR," I picked-up a VERIFIABLE, ACTIVE Back Orifice
    >>exploit, operating on ports 9001, SSH 443, 31337 and 54321 - JUST like it
    >>does in Windoze, from IP addresses 87.230.93.14 (Germany), 149.9.0.57
    >>(Washington, D.C.), 83.92.151.242 (Denmark) and 88.191.37.194 (Paris,
    >>FR),
    >>and ALL of these are "filtered" addresses.

    >
    >>Curiously, I don't recall installing any TOR applications on my system,
    >>as
    >>I don't do anonymous. So, I blocked the offending IP addresses and ports
    >>in Firestarter, and then removed TOR and its dependencies via root
    >>terminal, and the problem went away.

    >
    >>To console the AV detractors, though, daily runs of Avast! DID NOT detect
    >>or disable the exploit.

    >
    >>So, where do we go from here?


    Step into reality... it's all bull**** untill it's proven as fact. Since
    this hasn't hit the net as big news... it's a local event and probably a
    figment of someones imagination. And I'm being nice here...


    --

    Jerry McBride (jmcbride@mail-on.us)

+ Reply to Thread