Back orifice - possible cure
29th Dec 1998 Potluru Mohana Vamsi @baan.com
All, One of my friends (who is not subscribed to either of the above lists) sent this below mail to VSNL and PC-Quest. I am posting this so users on Hyderabad server may take note of this and take corrective/preventive measures. Please *do not* send mail direct to me or my friend on this. All mails to the discussion list only. Regards, ~Vamsi __________ Be like a postage stamp... Stick to one thing until you get there! > -----Original Message----- > From: Rajib Kumar Ghosh [SMTP:[email protected]] > Sent: Tuesday, December 29, 1998 5:55 PM > To: Vamsi Mohana Potluru > Subject: Msg sent to VSNL about BackOrifice > > Dear Sir, > > Since BackOrifice was released by Cult of the Dead Cow communications > (www.cultdeadcow.com) in August this year, hackers and would be hackers > have > everything to rejoice about. Since October 98, I have been receiving a > spate > of emails containing BackOrifice infected programs (in most cases > Backorifice itself under some luring name). > > Take the example below: > The mail was received by me on Dec 21,98. Very clearly, it is a dial up > user > (IP address 202.54.68.62 on 21/12/98, 20:09 hours), faking the helpdesk > account and sending the infected file. Since detailed mailer information > is > missing, I have to assume that either he is using direct telnet to SMTP > port > or he has a mailer that doesn't include this information. Very old mailers > & > special anonymous mailers hide the mailer information. > Most non techno-savvy users would be deceived by the filename (FREE > GIFTS.EXE) and would attempt to run it. I did run the program to see what > it > does. The program is 122KB in size, has no icon resource. Upon running it > copies itself to the Windows\System directory and renames itself to > {space}.exe. please note that {Space} denotes the spacebar character. It > also creates a registry key in the Run Services section that enables this > program to run everytime the PC is started up. The hackers do not appear > to > be experts themselves as they have done next to nothing to modify > theBackOrifice executable and trojanise it. It size, icon resources, file > name is maintained. I wonder if they have even changed the password and > port > address ! Further utilities like saranwrap, silkrope etc. havenot been > used > either. > > I feel pity on the poor users of Internet here in Hyderabad who are being > poached upon by these cheap minded people. I am aware enough of the > dangers > to protect myself, but I suspect a lot of people have already paid the > price > of asking for FREE GIFTS. > > Since the IP address of the sender it present, I think it would be simple > for the system administrators to trace the login -id from the DHCP logs. > Let > them take very strict action, post a warning message to all users > informing > them of what is happening and what will happen to aspiring hackers. Let > Internet be a safe place. > > Thanking you > Yours sincerely > Rajib Ghosh > > Dr. Neeraj's Multimedia Studios Pvt. Ltd. > 11-5-401/2, Red Hills, > Hyderabad, AP, India > Tel : +91-40-3316243, 3316223, 3390755 > Fax: +91-40-3316223 > WWW : www.ebiz.com/~neeraj > > -------------------Mail message follows---------------------- > From helpdesk Mon Dec 21 20:09:01 1998 > Received: from apsccfc ([202.54.68.62]) > by hd1.vsnl.net.in (8.8.8/8.8.8) with SMTP id TAA30631; > Mon, 21 Dec 1998 19:44:28 +0500 (GMT+0500) > Received: by apsccfc with Microsoft Mail > id <01be2d1b.81ee5640@apsccfc>; Mon, 21 Dec 1998 19:52:58 +0530 > Message-ID: <01be2d1b.81ee5640@apsccfc> > From: Administrator> To: "'[email protected]'" > Cc: "'[email protected]'" , > "'[email protected]'" , > "'[email protected]'" , > > .. > .. {email addresses of all users on the server} > > > Subject: HI FROM VSNL HELP DESK > Date: Mon, 21 Dec 1998 19:52:04 +0530 > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="---- > =_NextPart_000_01BE2D1B.8220B0E0" > Status: O > X-Status: > > > ------ =_NextPart_000_01BE2D1B.8220B0E0 > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: 7bit > > Hello Everybody, > Get a free pop email and many gifts for NEW YEAR & CHRISTMAS > BY DOWNLODING THIS ATTACHMENT AND RUN IT. > > ADMIN > > ------ =_NextPart_000_01BE2D1B.8220B0E0 > Content-Type: application/x-msdownload; name="FREE GIFTS.exe" > Content-Transfer-Encoding: base64 > > TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AA > AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG > 1v > ZGUuDQ0KJAAAAAAAAFVQRQAATAEGANqVxjUAAAAAAAAAAOAADgELAQMKAEYBAAAOAQAAAAAAoA > IA > AAAQAAAAYAEAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAACQAgAABAAAAAAAAAIAAAAAAB > AA > > ABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAgAgDIAAAAAEACAJgmAAAAAAAAAAAAAAAAAA > AA > AAAAAHACAKwWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AA > AACoIwIAzAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAAEYBAAAQAAAARgEAAA > QA > .. {rest of the MIME data} >
29th Dec 1998
Rippy @del2.vsnl.net.in
Dear Innmates, I think VSNL should either give quality service or should not give it at all. Last month my internet account got hacked by someone and I reported the matter to the customer relation officer at our New Delhi's office. He told me that nothing could be done as it was beyond their control and to ensure the safety of account one should keep on changing the password (which I always have been doing). Further he told me to get the account renewed immediately in order to avoid any disruption in the service. Last week I got my TCP/IP account renewed and changed my password but to my surprise again found my account to be hacked and misused by someone. On reporting the matter again to VSNL the same customer relation officer told me to write an application and refused to compensate for the loss of hours. He denied that VSNL does not know when the user's password gets changed which I personally think is bullshit! This shows the height of poor service being provided by largest internet service provider in the country. I think they are simply exploiting their customers. Nobody is here to listen to my grievance. Unless you know someone in the high position nothing can work in this country. The government offices are full of corrupt and useless officials who have no sense of responsibility towards their customers. I'm not from any big organisation and I cannot afford to spend so much money every month on my internet account. Can anyone help me in contacting the right officials because I'm frustrated now. Please provide me with some details about the right officials to be contacted and if possible with their email addresses. Thanks Rippy.
30th Dec 1998
jayesh @bom3.vsnl.net.in
dear sir in relation to your acct being hacked mine was also hacked and i lost about 350 hours off my acct. someone told me to scan my computer for trojan viruses with an updated antivrius and sure enough i found netbus and back orifice on my computer . both these trojans enable whatever your is typed to keyboard to be logged . thenn this log file can be retrived at a later date . they also do other kinds of harm. i suggest that you will be well serviced to download or update your existing antivirus to enable it to catch these trojans . a good antivirus is anti virus pro which can be got from avp.com . as for vsnl less said the better becuase they have only one refrain keep changing passwords it doesnt make a difference since the log has got it .it is better to kill the problem at source i.e. your computer . afterall prevention is better than cure
30th Dec 1998
Potluru Mohana Vamsi @baan.com
Rippy, Please refer to the mail of Jayesh on this issue. I would like to add my 2 bits worth. The responsibility of securing an account lies with us. On this issue please see the mass attack that took place on the users of Hyderabad account. My previous mail "[iinn-l] FW: Msg sent to VSNL about BackOrifice" illustrates one of the means of such an attack. Being a holiday season you can be sure of getting more e-mails with *greeting cards*. Infact these could be trojans whose purpose is to infiltrate our machines. Sometimes even friends send these mail unwittingly. My suggestion, ignore all executeable (mails with attachments of type *.exe and *.com) greeting cards. And if you have this irresistable urge to send a card, use html cards. One of the sites where you can create html cards for your friends is http://www.123greetings.com. Lastly, VSNL secures its systems well, to the extent of denying members a decent shell account. I hope some one more knowledgeable on this list will take some time to create a do's and don'ts to avoid passwords getting out. After all not everyone is a techie and some times it is a bad bad world out there in cyberspace. Regards, ~Vamsi Baan Project +91-40-335-1542 (extn: 2305) __________ Be like a postage stamp... Stick to one thing until you get there!
31st Dec 1998
P-S @giasmd01.vsnl.net.in
With all the discussions going on about Back Orifice and VSNL's (plus the user's inability) in checking the onslaught, the freeware mentioned below seems to be a more viable solution. Those of you who have been affected , please try the same and any feedback from you would be most helpful. I am reproducing below a short account of the software as found on the site alongwith the address. The site also features a whole lot of software which will be immensely useful to most of us. *************************************************************************** http://www.winfiles.com/apps/98/net-misc.html N O B O A Windows 95/98 program that detects Back Orifice (BO) packets destined to the machine it's running on. When such packet is received, NOBO logs the IP address and host name it came from, along with the BO operation (such as file delete, system info, etc.). Also, NOBO can be configured to reply back a text message to the BO client; such message is displayed on the BO client screen everytime a BO packet is sent to the machine running NOBO. NOBO is small and simple to install. Actually no installation is required; just grab the executable and run it. Published by Flavio Veloso NOBO Home Page *************************************************************************** P.S.
1st Jan 1999
jayesh @bom3.vsnl.net.in
dear sir in response to cure of bo there is a wonderful programme called the cleaner available at www.dynamsol.com it cures and removes all known trojans and such likes and is updated everytime a new trojan is detected it is very good and i believe is freeware.it is very good and will go a a long way in keeping our computers free from prying eyes . jayesh