Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  FAKEBO (1)


fakebo - fake Back Orifice and NetBus trojan server




fakebo [ -dihbav ] [ -c config_file ]


This file documents version 0.4.2 of fakebo, the fake Back Orifice (BO) and NetBus server for Linux and other Unices.

Have you ever wanted to know who is trying to access your computer with Back Orifice or NetBus? This program fakes these trojan servers and logs every connection from their clients. Connections can be logged to a file, to stdout, to stderr or to syslog. fakebo can also send fake pings and replies back to the trojan client.

fakebo can emulate a BO server with three possible levels of realism:
RealFakeBO If the option userealfakebo is turned on in the configuration file, fakebo will do its best to emulate a real BO server.
Custom replies If the option usecustomreplies is turned on, fakebo will send to the client a different message for each type of incoming packet received. The messages sent in replies are specified by the user in separate files (see section CUSTOM REPLIES). If RealFakeBO is turned on, custom replies will not be used unless the built-in RealFake server fails to produce a reply.
Fixed reply If both previous methods either fail or are configured out, fakebo will send to the client the message specified under bomessage in the configuration file, whatever the incoming packet may be.

You may want to auto start fakebo when you connect to the Net via PPP. To do that, just put "fakebo" in /etc/ppp/ip-up, and it will run fakebo when PPP is activated. Don’t forget to put something like "killall fakebo" in /etc/ppp/ip-down...


-c config_file Path to the configuration file. If this option is omitted, fakebo will search a file named fakebo.conf in the following directories: /etc, /usr/local/etc, $HOME and . (the current directory).
-v Turn on verbose logging.
-d Print to stderr the configuration parameters. This option is for debugging purposes.
-i Log the BO packet numbers together with their description, otherwise only the description is logged. This option is for debugging purposes.
-b Start fakebo as a daemon. When started with this option, fakebo closes all file descriptors, disassociates itself from the controlling terminal and puts itself in the background.
-a Print an "about" message and exit.
-h Print a short summary of options and exit.


The configuration file is a simple plain text file. Lines beginning with ‘#’ and empty lines are treated as comments. Each command is a couple keyword value. Values can be either strings (enclosed in double quotes unless otherwise stated), integers or booleans. A boolean is an integer which can be 0 (zero) for turning the option off or 1 for turning it on.
user string If fakebo is started by root, it will su to the user specified here after opening the log file. This is intended to avoid compromising the system, should the program have any security hole. If custom replies are used, the user owning the fakebo process must have read access to the files containing the replies.
boport integer The UDP port to listen for BO connections. The default port is 31337, it is also the default port in BO itself. In fact, boport can also be the name of an UDP port (as defined in /etc/services) without quotes.
nbport integer The UDP port to listen for NetBus connections.
startasdaemon boolean Start fakebo as a daemon. This has the same effect as the -b option.
bofakever string Fake BO version (not longer than 10 characters). it’s used for sending BO version when sendfakereply is on. Now you can fool attacker that you have a computer infected with a newer version of BO... ;)
nbfakever string Fake NetBus version (not longer than 10 characters). This is sent to the client in the greeting message.
bomessage string Message which will be sent to BO client if both RealFakeBO or custom replies either fail or are configured out.
nbmessage string Message which will be sent to NetBus client when accessed.
logfile string File where all attempts are logged (full path). stdout stands for STandarD OUTput, stderr stands for STandarD ERRor.
user string user who should own the process if started by root
logconnection boolean If you want to log IP where it comes from and what type of packet is.
logreceivedpackets integer There are 5 possible values (0, 1, 2, 3, 4) for logging received packets: 0: do not log, 1: log only command 2: log command & data fields (most common) 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above
logsendingpackets integer There are 4 possible values (0, 1, 2, 3) for logging packets to send: 0: do not log, 1: log only command, 2: log command & data fields (most common), 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above
lognotbopackets boolean If you want to log contents of non-BO packets.
sendfakereply boolean If you want to send fake replies to pings from the client (it will display a message as if you had BO). Very useful to set when somebody sweeps your domain and you want him to believe that you have BO server installed.
machinename string Used for fake ping replies for forming fake ping packet. This must be a single word.
logtimeanddate boolean Log time and date of received packet.
silentmode boolean Make it silent. If this option is set fakebo will not answer the message back to BO client. Note that pings will still be replied back to the client. Turn off sendfakereply if you want to make fakebo completely silent (very useful if you don’t want that public knows that their activity is logged).
bufferedlogging boolean This option is used for turning on or off buffered output to log file. fakebo runs a little faster if buffering is on. I recommend not to use buffering.
logtosyslog integer May be: 0: do not log via syslog, 1: log via syslog, 2: log via syslog verbosely.
toexecutescript boolean If you set this option, fakebo will execute the program which you specify under parameter executescript (see below) when it receives the BO packet. It is a sort of plug-in, so you can do everything you want with his IP. You can for example run whois, finger, traceroute or something else, but putting nuke, or land or some similar attack in the script is not very smart (then you’re like the one attacking you!)
executescriptshell string Path to the shell that will be used to expand command line parameters when running a custom script. The shell must accept the ‘-c’ option.
executescript string This parameter is only used when toexecutescript is set. In this case, fakebo will execute the command line you specify here. A ‘!’ in the command line will be replaced by the IP of the attacker. If you want to insert a literal ‘!’, you have to type ‘\!’. You can put here several commands separated by a ‘;’, like in the shell. Likewise, a ‘%’ will be replaced by the text ‘backorifice’ or ‘netbus’, depending upon which trojan originated the attack.
usecustomreplies boolean With this you can specify for every BO command a different answer to the attacker. It’s very useful if you want to make him believe he is doing everything right. Note: if option silentmode is on, this parameter is ignored. See the next section for details on custom replies.
customrepliespath string For every client command you can specify a different answer to the attacker. You just have to make the text file for every command. The hexadecimal identification of the command is added to the path. If option usecustomreplies is off, this parameter doesn’t have any effect. If the file for some command cannot be found, then a generic message is used (message parameter).
tocrackpackets boolean Try to crack BO packets with password and log encryption key. It takes less than a second to crack the password on average Pentium. If you’re low on CPU resources you should say no (0) here.
ignorehost string If set to anything else than "NONE", fakebo will ignore connections from the specified host.
userealfakebo boolean If set, fakebo will use its built-in RealFake(tm) BO server to properly emulate responses to the BO client, and hopefully REALLY confuse them... Don’t worry, it may look real, but it is as harmless as a crax0r using a windoze box.


When option usecustomreplies is set in the configuration file and RealFakeBO either fails or is configured out, fakebo will send the contents of a file in reply to each command. The name of the file is obtained by appending the hexadecimal value of the command to the prefix specified in parameter customrepliespath. For example: let’s say you set customrepliespath to "/etc/fakebo/reply." and you want to have a special answer when the attacker issues the command "get System Information" (hex value 04). Then you just have to write your message in /etc/fakebo/reply.04... and keep watching the confused attacker. ;-)

Don’t forget to make these files readable by the user owning the fakebo process (user parameter in the configuration file).

The hex values associated with the commands are:

02 System Reboot
03 System Lock Up
04 List System Passwords
05 View Console
06 Get System Information
07 Log Pressed Keys
08 Send KeyPress Log
09 Show A Dialog Box
0A Delete A Value from The Registry
0B Create TCP redirection (proxy)
0C Delete TCP redirection
0D List TCP redirections
0E Start Application
0F End Application
10 Export a share resource
11 Cancel share export
12 Show Export List
13 Resend Packet
14 Enable HTTP Server
15 Disable HTTP Server
16 Resolve Host Name
17 Compress a File
18 Uncompress a File
19 Plug-in execute
1A (unknown)
1B (unknown)
1C (unknown)
1D (unknown)
1E (unknown)
1F (unknown)
20 Show active processes
21 Kill a process
22 Start a process
23 Create a key in the registry
24 Set the Value of a key in registry
25 Delete a key in registry
26 Enumerate registry keys
27 Enumerate registry values
28 Capture a static image
29 Capture a video stream
2A Play a sound file
2B Show Available Video capture devices
2C Capture the screen to a file
2D Start sending a file using TCP
2E Start receiving a file using TCP
2F List (running) plug-ins
30 Kill Plugin
31 List directory
32 (unknown)
33 (unknown)
34 Find a file
35 Delete a file
36 View file contents
37 Rename a file
38 Copy a file
39 List all network devices
3A Connect to network resource
3B End connection of a network resource
3C Show NetWork Connections
3D Create Directory (folder)
3E Remove directory
3F Show Running Applications


Default configuration file.


The original author and current maintainer of fakebo is Vlatko Kosturjak - KoSt <>, <>

Code, ideas, spelling... were contributed by (in completely random order): Robert Avilov - DryLLaR <>, Edgar Bonet Orozco <>, Olaf Tuinder <>, Hans Jorgensen <>, Sinisa Lolic <>, Marcus Herbert - rhoenie <>, Jwit <>, Folkert van Heusden <> and Bjoern Bendix <>, Dezso E. Moldvai - MDE <>, Mike Kershaw <>, c.o.d @ WLU, Wolfram Kleff <>, Michiel Steltman <>, Doug Schieferstine <>, Javi Polo <>, Jochem Wichers Hoeth <>, Ian Kumlien <>, Miodrag Vallat <>, Norman Meilick <>, J. Padfield <>, Marc Quinton <>, Dop Ganger <>, Michael <>, Ian Bishop <>, Groovy Pants Gus <gus@SB7.YOONIX.NET>, Gerald Swann <>, Eric Hedberg <>, Gregory T. Norris <>, Robert Szarka <>, Michel Arboi <>, David Grant <>, Scott Edwards <>, Martin Kammerhofer <>, Michel Kaempf <>, Chris Knipe <>, Justin Wienckowski <>, Daniel P. Stasinski <>, Larry Reckner <larryr@Capital.NET>, Ivan Brozovic <>, Dobrica Pavlinusic <> and others...


Copyright © 1999 Vlatko Kosturjak.

fakebo is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

fakebo is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the License for more details.

You should have received a copy of the GNU General Public License along with fakebo; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


The most recent released version of fakebo is always available from <>
Search for    or go to Top of page |  Section 1 |  Main Index

Linux FAKEBO (1) May 1999

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.