It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Back Orifice 2000

page: 1

log in


posted on Sep, 16 2009 @ 03:21 AM
When viewing my "McAfee Log Viewer" for "Inbound Events" I get "Unsolicited Connections" all the time and under the "Event Information" heading it tells me what port was just accessed. And when I use the "Trace this IP" option it usually traces it to China or Australia and, of course, I have the option to ban it. I also get "Unsolicited Connections" from my ISP.

But, once in a while I get one from an IP that matches my ISP, but under the "Event Information" heading it says something obscene like (in this case) "Back Orifice 2000".

Under details it says:

"A computer at" (My ISP) "...has attempted an unsolicited connection to UDP port 54320 on your computer.

UDP port 54320 is commonly used by the "Back Orifice 2000" service or program. The source computer has scanned your computer for this trojan, but it has been blocked by your firewall."

(1) In laymen's terms, what exactly does this mean, and should I be worried about someone accessing my computer?

(2) a) I also get hits for ports 18728 (like one every 15 seconds) and port 4466 (everytime I connect to the internet). What are these ports used for and how can I close them?
b) Have these connections already been blocked and my Log Viewer is merely noting that an attempt was made?

(3) I've also traced a group of IP's (all have the same set of numbers in them, with the exception of the last 2 or 3 digits) to a location the same distance away from CIA HQ in Virginia, and the Pentagon. To which I always scratch my head and wonder, WTF!?

(4) Has anyone else experienced the same thing here?

posted on Sep, 16 2009 @ 08:37 AM
If you have a good software and hardware firewall, you shouldn't be worried.

Also have the best antispyware software installed in your system:

Back Orifice is an old software that we used to use to prank friends. Moving their mouse, opening their cd-rom etc...

Then it got old.

posted on Sep, 16 2009 @ 10:06 AM
reply to post by sumgai

Someone is just doing a port scan on you. Takes a bit to explain in laymen terms though.

First you have to know what a server is. Most of the time when someone says server they mean big computer. For a port scan though they mean the actual software that's running on the big computer.

What the software does is it opens a port and listens for requests from other computers. When it gets one it sends those computers the data they request. That's it.

Why ports? Well if you're poor folk like me you might only have one actual physical server. However, you can still run multiple virtual servers on the same computer. You may run a web server and a email server on the same box or whatever servers you want.

Both would have the same IP address so you have to tell the server which port. Either the mail server or the web server. Most web servers run on port 80 so you don't usually have to type the port in when web browsing BTW. If you ever see something like :8080 in a url it means they're running on a diff port than usual. Typically because the normal one isn't currently working on their system for some reason.

So that's what a port is. They're not real. They don't actually exist. It's just a number you tag on to the request you send the server so it knows exactly which program you're trying to talk to because that comp may be running more than one virtual server.

There's two types of ports. TCP and UDP ports and they can be numbered from 0 to 65,535. Which type and which port are all used for different types of data and servers.

What the hacker is doing is sending requests to each one of your ports to see if any of them are open. If anything is listening on the other side they might be able to trick that software into doing something it's not supposed to. Like deleting all your files or something because there's a bug in the server code that the hacker knows about.

Okay so, here's the real deal though. You're on a desktop PC. Not a server. That means you're not running any servers (typically) because you don't have any data you want to serve to anybody. You're just connecting to other people's servers like ATS's or Googles.

So it's really really hard to break in through a port when nothing is listening. No matter what request they send it just gets dropped and disappears into the ether. So they can't hack you right?

So, here's what they do. They create viruses like this Back Orifice thing. What it does is opens up a port and starts listening for the commands from the hacker and does whatever the hacker tells it to.

That way, once you're infected the hacker can dial into your system and take control anytime he wants because he's got something there listening for his instructions now.

What your firewall is telling you is that you're not infected by the virus and the port isn't open and is successfully being blocked, but somebody is trying to look and see if it's running on your system.

Probably what's going on is some hacker is just plain bored and has written an automated script that goes around the net probing the net for random IP addresses that are infected with this Back Orifice thing and if it finds one, it'll take control of that computer somehow. What your firewall is telling you though is that you're protected from the jerk and it has given him the boot.

EDIT: Oh and if you wanna put another firewall wall or nat like the one built into most routers in between you and the wall you can block them there before they get to your comp, but if you're wireless you're just gonna get weird stuff coming at you sometimes cause hackers are retarded and bored.

EDIT AGAIN: Oh I guess Back Orifice actually does have some real legitimate uses for when you need to control a computer that you're far away from but the hacker probably doesn't want to do anything legitimate with it.

[edit on 16-9-2009 by tinfoilman]


log in