[Dshield] Outpost firewall Pro has Back Orifice trojan program

Johannes B. Ullrich jullrich at sans.org
Tue Feb 3 13:55:37 GMT 2004

The purpose of 'Service.lst' is to translate port numbers into human
readable strings.

From your sample below, port 53 is used for "DNS", which is short for
"Domain Name Service".

The 'Back Orifice' line is just included so if someone hits you
with a UDP packet on port 31337, the firewall can display "You have been
hit with a Back Orifice packet" (Or something like that) instead of the
more cryptic "You have been hit with a UDP packet on port 31337".

Systems usually have a default services file (e.g. /etc/services in
Unix, or /win/system32/drivers/etc/services in Windows). However, these
service files typically only list 'official' services. Firewalls
sometimes include their own file as they try to provide more verbose
alerts for trojan ports.

On Tue, 2004-02-03 at 07:25, Mr Babak Memari wrote:
> Hi
> I have found  this file below in Outpost firewall Pro :
> C:\Program Files\Agnitum\Outpost Firewall\Service.lst
> After opening it with Notepad I found a trace of "Back Orifice trojan 
> program"  :
> [udp]
> 7,ECHO,Echo
> 9,Discard,Discard
> 13,Daytime,Daytime
> 17,QOTD,Quote of the Day
> 19,Chargen,Character Generator
> 37,Time,Timeserver
> 53,DNS,Domain name service
> 67,BOOTPS,Bootstrap Protocol Server
> 68,BOOTPC,Bootstrap Protocol Client
> 137,NETBIOS_NS,NETBIOS Name Service
> 138,NETBIOS_DGM,NETBIOS Datagram Service
> 161,SNMP,SNMP (Simple Network Management Protocol)
> 162,SNMPTRAP,SNMPTRAP (Simple Network Management Protocol)
> 4000,ICQ,ICQ chat program
> 31337,BackOrifice,Back Orifice trojan program      <<<=====NOTE Please **
> What is your Idea? I have downloaded it from agnitum.com  .
> -----
> Babak
> www.voidspace.org.uk/babak
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040203/89ee9b7c/attachment.bin

More information about the list mailing list