# Huge Security Flaw on my Computer.

## barlad

10 minutes ago, I saw something really worrying on my firewall. I spotted some "backorrifice" connection tries to my computer. Those connections came from an IP which is... MINE.

I launched nmap and did a scan on my computer: I had the following port filtering: 31337 service: Elite.

I guess this is the boffice server. I thought this thing only worked on Windows? I am really... flipped out.

Anyway, I stopped everything (I was running Kazaa at that time and a few other things: Firebird, Firestarter, Nmap),killed my adsl-connection, did a "CTRL ALT DEL" to  reboot the X server and re-started everything . This time, none of my port was open and I didn't have that 31337 port listening.

So was this a false alarm? Anyone has got an explanation please?

----------

## Brown Eyed Boy

 *barlad wrote:*   

> 10 minutes ago, I saw something really worrying on my firewall. I spotted some "backorrifice" connection tries to my computer. Those connections came from an IP which is... MINE.

 

I don't know much about backorifice, but I explicitly log and drop anything on the input chain which "appears" to come from my IP address.  If you don't have a rule for this, it might be worth adding one.

~Brown Eyed Boy

----------

## barlad

Any idea how I could add such a rule please? I will start digging through iptables manual (I will have to do it sooner or later anyway).

Anyway, I think it was just a false alarm. Firestarter started to block the 31337 port and that is what made it appear as "filtered" through nmapfe. I am not sure about it yet though.

----------

## darktux

 *barlad wrote:*   

> 10 minutes ago, I saw something really worrying on my firewall. I spotted some "backorrifice" connection tries to my computer. Those connections came from an IP which is... MINE.
> 
> I launched nmap and did a scan on my computer: I had the following port filtering: 31337 service: Elite.
> 
> I guess this is the boffice server. I thought this thing only worked on Windows? I am really... flipped out.
> ...

 

Next time do fuser 31337/tcp to see what process is opening that door.

That door is also used by psybnc.

----------

## Brown Eyed Boy

 *barlad wrote:*   

> Any idea how I could add such a rule please? I will start digging through iptables manual (I will have to do it sooner or later anyway).

 

```
# Prevent IP spoofing

iptables -A INPUT -s x.x.x.x -j LOG --log-prefix "Spoofed local machine"

iptables -A INPUT -s x.x.x.x -j DROP
```

x.x.x.x is your IP address.  The first rule logs the spoofed packets then the 2nd rule drops them.  I put those rules immediately after my loopback interface rules, which are at the top of the chain.

Hope this helps  :Smile: 

~Brown Eyed Boy

----------

## nephros

 *barlad wrote:*   

> 10 minutes ago, I saw something really worrying on my firewall. I spotted some "backorrifice" connection tries to my computer. Those connections came from an IP which is... MINE.
> 
> I launched nmap and did a scan on my computer: I had the following port filtering: 31337 service: Elite.
> 
> I guess this is the boffice server. I thought this thing only worked on Windows? I am really... flipped out.
> ...

 

He wasn't really getting somewhere, was he? I mean, OK, some fool tried to connect to a windows-only worm on your linux machine. It is unlikely you are running anything at port 31337, so his connection just got refused, and even if you were, it wouldn't be vulnerable (unless you have ported BO server to linux. There *is* a client version  :Twisted Evil:  ).

Personally, I think you can just ignore this. The fact that he spoofed your IP shows some consideration, but the fact that he tried a Win exploit on Linux shows he is probably no threat. Just another dropped connection like all my stale Kazaa and Gnutella connections and the occasional request for GET \winnt\...\cmd.exe on port 80.

----------

## darktux

 *nephros wrote:*   

>  *barlad wrote:*   10 minutes ago, I saw something really worrying on my firewall. I spotted some "backorrifice" connection tries to my computer. Those connections came from an IP which is... MINE.
> 
> I launched nmap and did a scan on my computer: I had the following port filtering: 31337 service: Elite.
> 
> I guess this is the boffice server. I thought this thing only worked on Windows? I am really... flipped out.
> ...

 

You're all just assuming, and not very correctly if I may say.

If someone was trying to connect to you, you wouldn't see the open door. Another assumption is that it was something related to BO, which doesn't have to be. As I've said there are other apps, such as psybnc that bind to the 31337 port, and I believe that there are many others, because of the meaning of the port.

----------

## nephros

 *darktux wrote:*   

> 
> 
> You're all just assuming, and not very correctly if I may say.
> 
> 

 

True, and you may, of course.

 *darktux wrote:*   

> 
> 
> If someone was trying to connect to you, you wouldn't see the open door. Another assumption is that it was something related to BO, which doesn't have to be. As I've said there are other apps, such as psybnc that bind to the 31337 port, and I believe that there are many others, because of the meaning of the port.

 

For the sake of argument I will continue my assuming if you don't mind.

So someone tries to connect to my port X, next thing I look is ps ax and nmap localhost and see if there is anything unusual (processes I don't know or ports I did not open).

If I don't detect anything, either his connection will be dropped all the time, or he has installed something sneaky which 

hides itself from ps, 

or the thing listening on port X does so only at specific times, 

or has to be activated manually using something like a specially crafted request to a legit server (which in turn would have been tampered with, or have an unknown/unfixed remote-execution exploit).

Is that correct so far?

----------

## devon

 *Quote:*   

> Is that correct so far?

 

Most times (everytime?), when a script kiddie gets r00t on a box, they will install a rootkit which modifies several system binaries like "ls", "ps", "netstat", etc to hide their work.

----------

## barlad

Just a quick update... it looks like it was a false alarm. In my opinion someone just sent a spoofed ip packet to my 31337 port, my firewall (firestarter) spotted it and added the 31337 to the list of the blocked port. 

After that nmap concluded that the 31337 was "filtered" and that's what made me flip out.

I am monitoring everything closely and ever since I removed the 31337 from the list of the closed port, I have not seen any report either from nmap or from firestarter.

All seems well... so far.

----------

## darktux

 *nephros wrote:*   

> 
> 
> So someone tries to connect to my port X, next thing I look is ps ax and nmap localhost and see if there is anything unusual (processes I don't know or ports I did not open).
> 
> If I don't detect anything, either his connection will be dropped all the time, or he has installed something sneaky which 
> ...

 

If someone connects to a port you have open, the best thing to do (if you don't know what that port has), is to do fuser portnumber/protocol as root to see what process opened the port.

----------

## sceptreofjudah

I just got PortSentry running and when I did an Nmap I got a whole lot of extra ports opened up by it including Back Orifice:

```
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-08-29 13:36 PDT

Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

Interesting ports on localhost (127.0.0.1):

(The 1459 ports scanned but not shown below are in state: closed)

PORT      STATE SERVICE

1/udp     open  tcpmux

7/udp     open  echo

9/udp     open  discard

69/udp    open  tftp

161/udp   open  snmp

162/udp   open  snmptrap

513/udp   open  who

635/udp   open  mount

640/udp   open  pcnfs

641/udp   open  unknown

700/udp   open  unknown

31335/udp open  Trinoo_Register

31337/udp open  BackOrifice

32770/udp open  sometimes-rpc4

32771/udp open  sometimes-rpc6

32772/udp open  sometimes-rpc8

32773/udp open  sometimes-rpc10

32774/udp open  sometimes-rpc12

54321/udp open  bo2k

Device type: general purpose|broadband router

Running: Linux 2.4.X|2.5.X|2.6.X, Belkin embedded

Too many fingerprints match this host to give specific OS details

Nmap run completed -- 1 IP address (1 host up) scanned in 9.620 seconds

```

When I did 

```
fuser 31337/udp
```

I got process id 6043; doing 

```
 ps -ax | grep 6043
```

came up with 

```
 /usr/bin/portsentry -udp
```

Anyone know what this is? Is PortSentry doing this legitimately or is this some kind of trojan horse on PortSentry?

I AM CONCERNED

----------

## sceptreofjudah

Ok, I guess I got it figured out! If I am wrong please let me know?

Using netstat -lnp I see that PortSentry has opened up a lot of ports and is actively listening. This is what it is designed to do -- listen and react to anyone (or anything) scanning these ports that are potential security risks. Ok GOOD!

----------

