TROJAN: Back Orifice 2000 Client Connection
This signature detects connections between a Back Orifice 2000 (BO2K) client and server. This indicates that a BO2K client has made a successful connection to a server that is listening on the standard BO2K port. It allows a remote attacker to take control of the infected host.
Extended Description
The web server supplied with the QNX Voyager demo disk contains several vulnerabilities. First, Voyager will follow relative paths passed to it in requests. This includes ../ style paths, which will allow Voyager to serve pages outside of the "document root". Another vulnerability is that the web server does not have sufficient security restrictions - this means that the web server can access any file, including protected files and special /dev entries. As well, due to the integration of the web browser and web server, information used by the Photon GUI is easily exposed by requesting files under /.photon/. Additionally, html files generated by the web browser (error messages, for example) and the QNX configuration interface share the same directory as published html files. While the Voyager web server is not intended to be used in a production environment, and is in fact intended only to be a demo of the QNX OS, users should be aware of these design errors.
Affected Products
Qssl voyager
References
BugTraq: 1648
CVE: CVE-1999-0660
URL: http://secunia.com/virus_information/4619 http://www.sarc.com/avcenter/venc/data/back.orifice2000.trojan.html
Short Name
TROJAN:BACKORIFICE:BO2K-CONNECT
Severity
Major
Recommended
False
Recommended Action
Drop
Category
TROJAN
Keywords
2000 Back CVE-1999-0660 Client Connection Orifice bid:1648
Release Date
10/16/2003
Supported Platforms
srx-branch-19.3
vsrx3bsd-19.2
srx-19.4
vsrx3bsd-19.4
srx-branch-19.4
vsrx-19.4
vsrx-19.2
srx-19.3
srx-branch-12.3
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx-12.3
vmx-19.3
srx-12.3
Sigpack Version
3724
Port
TCP/6000-10000,31337
False Positive
Unknown
Vendors
Qssl
CVSS Score
8.8