MembersHelpJoinRecent discussionsPress CoverageAdvertising

Interact Inn Home


    Recent Discussions   


Back orifice - possible cure

29th Dec 1998      Potluru Mohana Vamsi @baan.com 

All,

One of my friends (who is not subscribed to either of the above lists) sent
this below mail to VSNL and PC-Quest. I am posting this so users on
Hyderabad server may take note of this and take corrective/preventive
measures.

Please *do not* send mail direct to me or my friend on this. All mails to
the discussion list only.

Regards, 
~Vamsi 
__________
Be like a postage stamp...
Stick to one thing until you get there!

> -----Original Message-----
> From:	Rajib Kumar Ghosh [SMTP:[email protected]]
> Sent:	Tuesday, December 29, 1998 5:55 PM
> To:	Vamsi Mohana Potluru
> Subject:	Msg sent to VSNL about BackOrifice
> 
> Dear Sir,
> 
> Since BackOrifice was released by Cult of the Dead Cow communications
> (www.cultdeadcow.com) in August this year, hackers and would be hackers
> have
> everything to rejoice about. Since October 98, I have been receiving a
> spate
> of emails containing BackOrifice infected programs (in most cases
> Backorifice itself under some luring name).
> 
> Take the example below:
> The mail was received by me on Dec 21,98. Very clearly, it is a dial up
> user
> (IP address 202.54.68.62 on 21/12/98, 20:09 hours), faking the helpdesk
> account and sending the infected file. Since detailed mailer information
> is
> missing, I have to assume that either he is using direct telnet to SMTP
> port
> or he has a mailer that doesn't include this information. Very old mailers
> &
> special anonymous mailers hide the mailer information.
> Most non techno-savvy users would be deceived by the filename (FREE
> GIFTS.EXE) and would attempt to run it. I did run the program to see what
> it
> does. The program is 122KB in size, has no icon resource. Upon running it
> copies itself to the Windows\System directory and renames itself to
> {space}.exe. please note that {Space} denotes the spacebar character. It
> also creates a registry key in the Run Services section that enables this
> program to run everytime the PC is started up. The hackers do not appear
> to
> be experts themselves as they have done next to nothing to modify
> theBackOrifice executable and trojanise it. It size, icon resources, file
> name is maintained. I wonder if they have even changed the password and
> port
> address ! Further utilities like saranwrap, silkrope etc. havenot been
> used
> either.
> 
> I feel pity on the poor users of Internet here in Hyderabad who are being
> poached upon by these cheap minded people. I am aware enough of the
> dangers
> to protect myself, but I suspect a lot of people have already paid the
> price
> of asking for FREE GIFTS.
> 
> Since the IP address of the sender it present, I think it would be simple
> for the system administrators to trace the login -id from the DHCP logs.
> Let
> them take very strict action, post a warning message to all users
> informing
> them of what is happening and what will happen to aspiring hackers. Let
> Internet be a safe place.
> 
> Thanking you
> Yours sincerely
> Rajib Ghosh
> 
> Dr. Neeraj's Multimedia Studios Pvt. Ltd.
> 11-5-401/2, Red Hills,
> Hyderabad, AP, India
> Tel : +91-40-3316243, 3316223, 3390755
> Fax: +91-40-3316223
> WWW : www.ebiz.com/~neeraj
> 
> -------------------Mail message follows----------------------
> From helpdesk Mon Dec 21 20:09:01 1998
> Received: from apsccfc ([202.54.68.62])
> by hd1.vsnl.net.in (8.8.8/8.8.8) with SMTP id TAA30631;
> Mon, 21 Dec 1998 19:44:28 +0500 (GMT+0500)
> Received: by apsccfc with Microsoft Mail
> id <01be2d1b.81ee5640@apsccfc>; Mon, 21 Dec 1998 19:52:58 +0530
> Message-ID: <01be2d1b.81ee5640@apsccfc>
> From: Administrator 
> To: "'[email protected]'" 
> Cc: "'[email protected]'" ,
>         "'[email protected]'" ,
>         "'[email protected]'" ,
> 
> ..
> .. {email addresses of all users on the server}
> 
> 
> Subject: HI FROM VSNL HELP DESK
> Date: Mon, 21 Dec 1998 19:52:04 +0530
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----
> =_NextPart_000_01BE2D1B.8220B0E0"
> Status: O
> X-Status:
> 
> 
> ------ =_NextPart_000_01BE2D1B.8220B0E0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> Hello Everybody,
>    Get a free pop email and many gifts for NEW YEAR & CHRISTMAS
> BY DOWNLODING THIS ATTACHMENT AND RUN IT.
> 
> ADMIN
> 
> ------ =_NextPart_000_01BE2D1B.8220B0E0
> Content-Type: application/x-msdownload; name="FREE GIFTS.exe"
> Content-Transfer-Encoding: base64
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AA
> AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG
> 1v
> ZGUuDQ0KJAAAAAAAAFVQRQAATAEGANqVxjUAAAAAAAAAAOAADgELAQMKAEYBAAAOAQAAAAAAoA
> IA
> AAAQAAAAYAEAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAACQAgAABAAAAAAAAAIAAAAAAB
> AA
> 
> ABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAgAgDIAAAAAEACAJgmAAAAAAAAAAAAAAAAAA
> AA
> AAAAAHACAKwWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AA
> AACoIwIAzAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAAEYBAAAQAAAARgEAAA
> QA
> .. {rest of the MIME data}
>


29th Dec 1998      Rippy @del2.vsnl.net.in 

Dear Innmates,

I think VSNL should either give quality service or should not give it at
all. Last month my internet account got hacked by someone and I reported the
matter to the customer relation officer at our New Delhi's office. He told
me that nothing could be done as it was beyond their control and to ensure
the safety of account one should keep on changing the password (which I
always have been doing). Further he told me to get the account renewed
immediately in order to avoid any disruption in the service. Last week I got
my TCP/IP account renewed and changed my password but to my surprise again
found my account to be hacked and misused by someone. On reporting the
matter again to VSNL the same customer relation officer told me to write an
application and refused to compensate for the loss of hours. He denied that
VSNL does not know when the user's password gets changed which I personally
think is bullshit! This shows the height of poor service being provided by
largest internet service provider in the country. I think they are simply
exploiting their customers.
Nobody is here to listen to my grievance. Unless you know someone in the
high position nothing can work in this country. The government offices are
full of corrupt and useless officials who have no sense of responsibility
towards their customers. I'm not from any big organisation and I cannot
afford to spend so much money every month on my internet account.
Can anyone help me in contacting the right officials because I'm frustrated
now.
Please provide me with some details about the right officials to be
contacted and if possible with their email addresses.

Thanks

Rippy.


30th Dec 1998      jayesh @bom3.vsnl.net.in 

dear sir
in relation to your acct being hacked mine was also hacked and i lost about
350 hours off my acct.
someone told me to scan my computer for trojan viruses with an updated
antivrius and sure enough
i found netbus and back orifice on my computer . both these trojans enable
whatever your is typed to keyboard to be logged . thenn this log file can be
retrived at a later date . they also do other kinds of
harm. i suggest that you will be well serviced to download or update your
existing antivirus to enable it to catch these trojans . a good antivirus is
anti virus pro which can be got from avp.com . as for vsnl less said the
better becuase they have only one refrain keep changing passwords it doesnt
make a difference since the log has got it .it is better to kill the problem
at source i.e. your computer . afterall prevention is better than cure


30th Dec 1998      Potluru Mohana Vamsi @baan.com 

Rippy,

Please refer to the mail of Jayesh on this issue. I would like to add my 2
bits worth.

The responsibility of securing an account lies with us. On this issue please
see the mass attack that took place on the users of Hyderabad account. My
previous mail "[iinn-l] FW: Msg sent to VSNL about BackOrifice" illustrates
one of the means of such an attack.

Being a holiday season you can be sure of getting more e-mails with
*greeting cards*. Infact these could be trojans whose purpose is to
infiltrate our machines. Sometimes even friends send these mail unwittingly.

My suggestion, ignore all executeable (mails with attachments of type *.exe
and *.com) greeting cards. And if you have this irresistable urge to send a
card, use html cards. One of the sites where you can create html cards for
your friends is http://www.123greetings.com.

Lastly, VSNL secures its systems well, to the extent of denying members a
decent shell account.

I hope some one more knowledgeable on this list will take some time to
create a do's and don'ts to avoid passwords getting out. After all not
everyone is a techie and some times it is a bad bad world out there in
cyberspace.

Regards, 
~Vamsi 
Baan Project
+91-40-335-1542 (extn: 2305)
__________
Be like a postage stamp...
Stick to one thing until you get there!


31st Dec 1998      P-S @giasmd01.vsnl.net.in 

With all the discussions going on about Back Orifice and VSNL's (plus the
user's inability) in checking the onslaught, the freeware mentioned below
seems to be a more viable solution.

Those of you who have been affected , please try the same and any feedback
from you would be most helpful. I am reproducing below a short account of
the software as found on the site alongwith the address. The site also
features a whole lot of software which will be immensely useful to most of
us.

***************************************************************************


http://www.winfiles.com/apps/98/net-misc.html

                                        N O B O

                A Windows 95/98 program that detects Back Orifice (BO)
packets destined to the
                machine it's running on. When such packet is received, NOBO
logs the IP address
                and host name it came from, along with the BO operation
(such as file delete,
                system info, etc.). Also, NOBO can be configured to reply
back a text message to
                the BO client; such message is displayed on the BO client
screen everytime a BO
                packet is sent to the machine running NOBO. NOBO is small
and simple to
                install. Actually no installation is required; just grab the
executable and run it.
                  Published by Flavio Veloso
                                                   NOBO Home Page

***************************************************************************

P.S.


1st Jan 1999      jayesh @bom3.vsnl.net.in 

dear sir
in response to cure of bo there is a wonderful programme called the cleaner
available at www.dynamsol.com
it cures and removes all known trojans and such likes and is updated
everytime a new trojan is detected it is very good and i believe is
freeware.it is very good and will go a a long way in keeping our computers
free from  prying eyes .
jayesh

Top