AHHHHH CRAP PORT 31337 IS ACTIVE when i netstat...
Results 1 to 7 of 7

Thread: AHHHHH CRAP PORT 31337 IS ACTIVE when i netstat...

  1. #1
    Member
    Join Date
    Mar 2003
    Posts
    30

    Angry AHHHHH CRAP PORT 31337 IS ACTIVE when i netstat...

    hello all,

    I just ran good old net stat and noticed that port 31337 is active (i think) with the wild card *:*
    in its for. address slot. I have read on this forum that port 31337 or 1337 (im not sure, which) is a pretty good sign that you have someone else playing with your machine...

    I also have port 3013 connect to some type of hotmail/ messanger. I assume this is just windows messanger, but can anyone give me a REAL answer to my questions here
    Free Speach is nothing but a giant noose. If you are dumb enough to stick your neck into it, then you had better be prepared for someone else to choke your mouth shut.

  2. #2
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Sounds like good old BackOrifice or a derivative, a quick Google turned up this:

    Port 31337 Back Orifice

    Back Orifice (UDP)

    Back Orifice is a backdoor program that commonly runs at this port. Scans on this port are usually looking for Back Orifice.

    Back Orifice is a "backdoor" tool developed by the hacking group Cult of the Dead Cow and released in August 1998. Systems are infected in the normal Trojan Horse manner: a person downloads or is sent an executable from the Internet. Once the executable runs, it invisibly runs on the system, providing full access to outside hackers. Hackers regularly scan the Internet looking for people who have been compromised by this program.

    For the good oil have a look here: http://www.symantec.com/avcenter/backorifice.html

    Most anti-virus software detects BO these days.

    Here is another link to a site for detecting the presence of BO: http://www.nwinternet.com/~pchelp/bo/morefindBO.htm

    I did note that on another post you are running Back Officer - I am not very familiar with the product, could it be that its sitting there listening on Port 31337 waiting to do its stuff

  3. #3
    Banned
    Join Date
    Jan 2003
    Posts
    30
    Yeah and like Phat_Penguin said... your anti-virus should detect that. Im sure there are some other/better trojan removal out there but this was the first URL I caught and it was the first cleaner to come to mind... anyways here it is... http://www.moosoft.com/thecleaner/download.php

    Sorry its only a 30day trail but it beats nothing at all...
    Besides checking port you might also want to checkout some of the registries on your system and see if BO's is there.

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Looks to me like it could be Back Officer, I found this on the web,

    "BackOfficer Friendly is a spoofing server application that runs on your Windows system, and actively notifies you whenever someone attempts to remotely control your system using Back Orifice. Basically, it pretends to be a Back Orifice server. BackOfficer Friendly gives the attacker false answers that look like they came from Back Orifice, while logging the attacker's IP address and the operations they attempted to perform.

    BackOfficer Friendly can interact with the hackers, pretending to be a Back Orifice server or server for other types of requests. Instead of silently discarding their commands, it sends them responses (sometimes humorous) that look somewhat like a real system. Of course, it also notifies you of the commands they tried."

    Try turning it off and run Netstat again and see what happens. If port 31337 disappears - there is you answer, it was Back Officer doing its stuff and you should be OK.

  5. #5
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    hmm...well...I have 31337 open on my system, but for a totaly different reason, I run some security Honeypots on my system....well.....fake servers any way...so if your AV is not kicking in, then I'm guessing it's some kind of fake server or security measure your running....only other explenation...any way...any hafl decent Firewall should deny any access to that port, and any transmissions from it by default...
    If this isn't the case, check out the formentioned links

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  6. #6
    Member
    Join Date
    Mar 2003
    Posts
    30
    MAJOR Kudos to phat_penguin,

    I killed back officer and the port closed down nicely.
    Thank you for helping me better understand BO penguin

    Cheers
    Free Speach is nothing but a giant noose. If you are dumb enough to stick your neck into it, then you had better be prepared for someone else to choke your mouth shut.

  7. #7
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447
    31337 what an elite port
    /me waits for drum roll....................








    still waiting......................................










    ok where is it?????







    right ok dont appriciate my jokes

    /me wanders off muttering 'pah dont know humor when they see it'

    v_Ln

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •