GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
fakebo(1) UNIX Reference Manual fakebo(1)

fakebo - fake Back Orifice and NetBus trojan server

fakebo [ -dihbav ] [ -c config_file ]

This file documents version 0.4.2 of fakebo, the fake Back Orifice (BO) and NetBus server for Linux and other Unices.

Have you ever wanted to know who is trying to access your computer with Back Orifice or NetBus? This program fakes these trojan servers and logs every connection from their clients. Connections can be logged to a file, to stdout, to stderr or to syslog. fakebo can also send fake pings and replies back to the trojan client.

fakebo can emulate a BO server with three possible levels of realism:

RealFakeBO
If the option userealfakebo is turned on in the configuration file, fakebo will do its best to emulate a real BO server.
Custom replies
If the option usecustomreplies is turned on, fakebo will send to the client a different message for each type of incoming packet received. The messages sent in replies are specified by the user in separate files (see section CUSTOM REPLIES). If RealFakeBO is turned on, custom replies will not be used unless the built-in RealFake server fails to produce a reply.
Fixed reply
If both previous methods either fail or are configured out, fakebo will send to the client the message specified under bomessage in the configuration file, whatever the incoming packet may be.

You may want to auto start fakebo when you connect to the Net via PPP. To do that, just put "fakebo" in /etc/ppp/ip-up, and it will run fakebo when PPP is activated. Don't forget to put something like "killall fakebo" in /etc/ppp/ip-down...

-c config_file
Path to the configuration file. If this option is omitted, fakebo will search a file named fakebo.conf in the following directories: /etc, /usr/local/etc, $HOME and . (the current directory).
-v
Turn on verbose logging.
-d
Print to stderr the configuration parameters. This option is for debugging purposes.
-i
Log the BO packet numbers together with their description, otherwise only the description is logged. This option is for debugging purposes.
-b
Start fakebo as a daemon. When started with this option, fakebo closes all file descriptors, disassociates itself from the controlling terminal and puts itself in the background.
-a
Print an "about" message and exit.
-h
Print a short summary of options and exit.

The configuration file is a simple plain text file. Lines beginning with `#' and empty lines are treated as comments. Each command is a couple keyword value. Values can be either strings (enclosed in double quotes unless otherwise stated), integers or booleans. A boolean is an integer which can be 0 (zero) for turning the option off or 1 for turning it on.
user string
If fakebo is started by root, it will su to the user specified here after opening the log file. This is intended to avoid compromising the system, should the program have any security hole. If custom replies are used, the user owning the fakebo process must have read access to the files containing the replies.
boport integer
The UDP port to listen for BO connections. The default port is 31337, it is also the default port in BO itself. In fact, boport can also be the name of an UDP port (as defined in /etc/services) without quotes.
nbport integer
The UDP port to listen for NetBus connections.
startasdaemon boolean
Start fakebo as a daemon. This has the same effect as the -b option.
bofakever string
Fake BO version (not longer than 10 characters). it's used for sending BO version when sendfakereply is on. Now you can fool attacker that you have a computer infected with a newer version of BO... ;)
nbfakever string
Fake NetBus version (not longer than 10 characters). This is sent to the client in the greeting message.
bomessage string
Message which will be sent to BO client if both RealFakeBO or custom replies either fail or are configured out.
nbmessage string
Message which will be sent to NetBus client when accessed.
logfile string
File where all attempts are logged (full path). stdout stands for STandarD OUTput, stderr stands for STandarD ERRor.
user string
user who should own the process if started by root
logconnection boolean
If you want to log IP where it comes from and what type of packet is.
logreceivedpackets integer
There are 5 possible values (0, 1, 2, 3, 4) for logging received packets: 0: do not log, 1: log only command 2: log command & data fields (most common) 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above
logsendingpackets integer
There are 4 possible values (0, 1, 2, 3) for logging packets to send: 0: do not log, 1: log only command, 2: log command & data fields (most common), 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above
lognotbopackets boolean
If you want to log contents of non-BO packets.
sendfakereply boolean
If you want to send fake replies to pings from the client (it will display a message as if you had BO). Very useful to set when somebody sweeps your domain and you want him to believe that you have BO server installed.
machinename string
Used for fake ping replies for forming fake ping packet. This must be a single word.
logtimeanddate boolean
Log time and date of received packet.
silentmode boolean
Make it silent. If this option is set fakebo will not answer the message back to BO client. Note that pings will still be replied back to the client. Turn off sendfakereply if you want to make fakebo completely silent (very useful if you don't want that public knows that their activity is logged).
bufferedlogging boolean
This option is used for turning on or off buffered output to log file. fakebo runs a little faster if buffering is on. I recommend not to use buffering.
logtosyslog integer
May be: 0: do not log via syslog, 1: log via syslog, 2: log via syslog verbosely.
toexecutescript boolean
If you set this option, fakebo will execute the program which you specify under parameter executescript (see below) when it receives the BO packet. It is a sort of plug-in, so you can do everything you want with his IP. You can for example run whois, finger, traceroute or something else, but putting nuke, or land or some similar attack in the script is not very smart (then you're like the one attacking you!)
executescriptshell string
Path to the shell that will be used to expand command line parameters when running a custom script. The shell must accept the `-c' option.
executescript string
This parameter is only used when toexecutescript is set. In this case, fakebo will execute the command line you specify here. A `!' in the command line will be replaced by the IP of the attacker. If you want to insert a literal `!', you have to type `\!'. You can put here several commands separated by a `;', like in the shell. Likewise, a `%' will be replaced by the text `backorifice' or `netbus', depending upon which trojan originated the attack.
usecustomreplies boolean
With this you can specify for every BO command a different answer to the attacker. It's very useful if you want to make him believe he is doing everything right. Note: if option silentmode is on, this parameter is ignored. See the next section for details on custom replies.
customrepliespath string
For every client command you can specify a different answer to the attacker. You just have to make the text file for every command. The hexadecimal identification of the command is added to the path. If option usecustomreplies is off, this parameter doesn't have any effect. If the file for some command cannot be found, then a generic message is used (message parameter).
tocrackpackets boolean
Try to crack BO packets with password and log encryption key. It takes less than a second to crack the password on average Pentium. If you're low on CPU resources you should say no (0) here.
ignorehost string
If set to anything else than "NONE", fakebo will ignore connections from the specified host.
userealfakebo boolean
If set, fakebo will use its built-in RealFake(tm) BO server to properly emulate responses to the BO client, and hopefully REALLY confuse them... Don't worry, it may look real, but it is as harmless as a crax0r using a windoze box.

When option usecustomreplies is set in the configuration file and RealFakeBO either fails or is configured out, fakebo will send the contents of a file in reply to each command. The name of the file is obtained by appending the hexadecimal value of the command to the prefix specified in parameter customrepliespath. For example: let's say you set customrepliespath to "/etc/fakebo/reply." and you want to have a special answer when the attacker issues the command "get System Information" (hex value 04). Then you just have to write your message in /etc/fakebo/reply.04... and keep watching the confused attacker. ;-)

Don't forget to make these files readable by the user owning the fakebo process (user parameter in the configuration file).

The hex values associated with the commands are:

02
System Reboot
03
System Lock Up
04
List System Passwords
05
View Console
06
Get System Information
07
Log Pressed Keys
08
Send KeyPress Log
09
Show A Dialog Box
0A
Delete A Value from The Registry
0B
Create TCP redirection (proxy)
0C
Delete TCP redirection
0D
List TCP redirections
0E
Start Application
0F
End Application
10
Export a share resource
11
Cancel share export
12
Show Export List
13
Resend Packet
14
Enable HTTP Server
15
Disable HTTP Server
16
Resolve Host Name
17
Compress a File
18
Uncompress a File
19
Plug-in execute
1A
(unknown)
1B
(unknown)
1C
(unknown)
1D
(unknown)
1E
(unknown)
1F
(unknown)
20
Show active processes
21
Kill a process
22
Start a process
23
Create a key in the registry
24
Set the Value of a key in registry
25
Delete a key in registry
26
Enumerate registry keys
27
Enumerate registry values
28
Capture a static image
29
Capture a video stream
2A
Play a sound file
2B
Show Available Video capture devices
2C
Capture the screen to a file
2D
Start sending a file using TCP
2E
Start receiving a file using TCP
2F
List (running) plug-ins
30
Kill Plugin
31
List directory
32
(unknown)
33
(unknown)
34
Find a file
35
Delete a file
36
View file contents
37
Rename a file
38
Copy a file
39
List all network devices
3A
Connect to network resource
3B
End connection of a network resource
3C
Show NetWork Connections
3D
Create Directory (folder)
3E
Remove directory
3F
Show Running Applications

/usr/local/etc/fakebo.conf
Default configuration file.

The original author and current maintainer of fakebo is Vlatko Kosturjak - KoSt <kost@iname.com>, <http://surf.to/kost>

Code, ideas, spelling... were contributed by (in completely random order): Robert Avilov - DryLLaR <ravilov@barok.foi.hr>, Edgar Bonet Orozco <edgar@bonet.polycnrs-gre.fr>, Olaf Tuinder <olaf@warserver.warande.uu.nl>, Hans Jorgensen <borisj@get2net.dk>, Sinisa Lolic <vegi@usa.net>, Marcus Herbert - rhoenie <rhoenie@rhohost.chillout.org>, Jwit <jwit@sinnerz.com>, Folkert van Heusden <flok99@dds.nl> and Bjoern Bendix <bbendix@primusnetz.de>, Dezso E. Moldvai - MDE <mde@thepentagon.com>, Mike Kershaw <dragorn@melchior.nerv-un.net>, c.o.d @ WLU, Wolfram Kleff <wkleff@bigfoot.com>, Michiel Steltman <Michiel.Steltman@siennax.com>, Doug Schieferstine <doschie@global2000.net>, Javi Polo <javipolo@infomail.lacaixa.es>, Jochem Wichers Hoeth <wiho@chem.uva.nl>, Ian Kumlien <iank@smi.mas.lu.se>, Miodrag Vallat <miodrag@multimania.com>, Norman Meilick <alvin@gmx.de>, J. Padfield <olorin@netlink.com.au>, Marc Quinton <Marc.Quinton@stna.dgac.fr>, Dop Ganger <dop@fop.ns.ca>, Michael <nouse@gmx.de>, Ian Bishop <ibishop@globec.com.au>, Groovy Pants Gus <gus@SB7.YOONIX.NET>, Gerald Swann <gswann@pompano.pcola.gulf.net>, Eric Hedberg <hedberge@gridley.acns.CARLETON.edu>, Gregory T. Norris <haphazard@socket.net>, Robert Szarka <szarka@downcity.net>, Michel Arboi <arboi@bigfoot.com>, David Grant <dave@reach.net>, Scott Edwards <scott.edwards@iname.com>, Martin Kammerhofer <dada@sbox.tu-graz.ac.at>, Michel Kaempf <maxx@via.ecp.fr>, Chris Knipe <savage@savage.za.org>, Justin Wienckowski <jwiencko@vt.edu>, Daniel P. Stasinski <dannys@karemor.com>, Larry Reckner <larryr@Capital.NET>, Ivan Brozovic <ibrozovi@linux.hr>, Dobrica Pavlinusic <dpavlin@foi.hr> and others...

Copyright © 1999 Vlatko Kosturjak.

fakebo is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

fakebo is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the License for more details.

You should have received a copy of the GNU General Public License along with fakebo; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

The most recent released version of fakebo is always available from <http://cvs.linux.hr/fakebo/>
May 1999 Linux

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.