DragonFly On-Line Manual Pages
fakebo(1) UNIX Reference Manual fakebo(1)
NAME
fakebo - fake Back Orifice and NetBus trojan server
SYNOPSIS
fakebo [ -dihbav ] [ -c config_file ]
DESCRIPTION
This file documents version 0.4.2 of fakebo, the fake Back Orifice (BO)
and NetBus server for Linux and other Unices.
Have you ever wanted to know who is trying to access your computer with
Back Orifice or NetBus? This program fakes these trojan servers and
logs every connection from their clients. Connections can be logged to
a file, to stdout, to stderr or to syslog. fakebo can also send fake
pings and replies back to the trojan client.
fakebo can emulate a BO server with three possible levels of realism:
RealFakeBO
If the option userealfakebo is turned on in the configuration
file, fakebo will do its best to emulate a real BO server.
Custom replies
If the option usecustomreplies is turned on, fakebo will send to
the client a different message for each type of incoming packet
received. The messages sent in replies are specified by the user
in separate files (see section CUSTOM REPLIES). If RealFakeBO
is turned on, custom replies will not be used unless the built-
in RealFake server fails to produce a reply.
Fixed reply
If both previous methods either fail or are configured out,
fakebo will send to the client the message specified under
bomessage in the configuration file, whatever the incoming
packet may be.
You may want to auto start fakebo when you connect to the Net via PPP.
To do that, just put "fakebo" in /etc/ppp/ip-up, and it will run fakebo
when PPP is activated. Don't forget to put something like "killall
fakebo" in /etc/ppp/ip-down...
OPTIONS
-c config_file
Path to the configuration file. If this option is omitted,
fakebo will search a file named fakebo.conf in the following
directories: /etc, /usr/local/etc, $HOME and . (the current
directory).
-v Turn on verbose logging.
-d Print to stderr the configuration parameters. This option is for
debugging purposes.
-i Log the BO packet numbers together with their description,
otherwise only the description is logged. This option is for
debugging purposes.
-b Start fakebo as a daemon. When started with this option, fakebo
closes all file descriptors, disassociates itself from the
controlling terminal and puts itself in the background.
-a Print an "about" message and exit.
-h Print a short summary of options and exit.
CONFIGURATION FILE
The configuration file is a simple plain text file. Lines beginning
with `#' and empty lines are treated as comments. Each command is a
couple keyword value. Values can be either strings (enclosed in double
quotes unless otherwise stated), integers or booleans. A boolean is an
integer which can be 0 (zero) for turning the option off or 1 for
turning it on.
user string
If fakebo is started by root, it will su to the user specified
here after opening the log file. This is intended to avoid
compromising the system, should the program have any security
hole. If custom replies are used, the user owning the fakebo
process must have read access to the files containing the
replies.
boport integer
The UDP port to listen for BO connections. The default port is
31337, it is also the default port in BO itself. In fact, boport
can also be the name of an UDP port (as defined in
/etc/services) without quotes.
nbport integer
The UDP port to listen for NetBus connections.
startasdaemon boolean
Start fakebo as a daemon. This has the same effect as the -b
option.
bofakever string
Fake BO version (not longer than 10 characters). it's used for
sending BO version when sendfakereply is on. Now you can fool
attacker that you have a computer infected with a newer version
of BO... ;)
nbfakever string
Fake NetBus version (not longer than 10 characters). This is
sent to the client in the greeting message.
bomessage string
Message which will be sent to BO client if both RealFakeBO or
custom replies either fail or are configured out.
nbmessage string
Message which will be sent to NetBus client when accessed.
logfile string
File where all attempts are logged (full path). stdout stands
for STandarD OUTput, stderr stands for STandarD ERRor.
user string
user who should own the process if started by root
logconnection boolean
If you want to log IP where it comes from and what type of
packet is.
logreceivedpackets integer
There are 5 possible values (0, 1, 2, 3, 4) for logging received
packets: 0: do not log, 1: log only command 2: log command &
data fields (most common) 3: log command, data and header fields
(for debugging purposes). 4: log packet hex dump, along with
everything from above
logsendingpackets integer
There are 4 possible values (0, 1, 2, 3) for logging packets to
send: 0: do not log, 1: log only command, 2: log command & data
fields (most common), 3: log command, data and header fields
(for debugging purposes). 4: log packet hex dump, along with
everything from above
lognotbopackets boolean
If you want to log contents of non-BO packets.
sendfakereply boolean
If you want to send fake replies to pings from the client (it
will display a message as if you had BO). Very useful to set
when somebody sweeps your domain and you want him to believe
that you have BO server installed.
machinename string
Used for fake ping replies for forming fake ping packet. This
must be a single word.
logtimeanddate boolean
Log time and date of received packet.
silentmode boolean
Make it silent. If this option is set fakebo will not answer
the message back to BO client. Note that pings will still be
replied back to the client. Turn off sendfakereply if you want
to make fakebo completely silent (very useful if you don't want
that public knows that their activity is logged).
bufferedlogging boolean
This option is used for turning on or off buffered output to log
file. fakebo runs a little faster if buffering is on. I
recommend not to use buffering.
logtosyslog integer
May be: 0: do not log via syslog, 1: log via syslog, 2: log via
syslog verbosely.
toexecutescript boolean
If you set this option, fakebo will execute the program which
you specify under parameter executescript (see below) when it
receives the BO packet. It is a sort of plug-in, so you can do
everything you want with his IP. You can for example run whois,
finger, traceroute or something else, but putting nuke, or land
or some similar attack in the script is not very smart (then
you're like the one attacking you!)
executescriptshell string
Path to the shell that will be used to expand command line
parameters when running a custom script. The shell must accept
the `-c' option.
executescript string
This parameter is only used when toexecutescript is set. In
this case, fakebo will execute the command line you specify
here. A `!' in the command line will be replaced by the IP of
the attacker. If you want to insert a literal `!', you have to
type `\!'. You can put here several commands separated by a `;',
like in the shell. Likewise, a `%' will be replaced by the text
`backorifice' or `netbus', depending upon which trojan
originated the attack.
usecustomreplies boolean
With this you can specify for every BO command a different
answer to the attacker. It's very useful if you want to make him
believe he is doing everything right. Note: if option
silentmode is on, this parameter is ignored. See the next
section for details on custom replies.
customrepliespath string
For every client command you can specify a different answer to
the attacker. You just have to make the text file for every
command. The hexadecimal identification of the command is added
to the path. If option usecustomreplies is off, this parameter
doesn't have any effect. If the file for some command cannot be
found, then a generic message is used (message parameter).
tocrackpackets boolean
Try to crack BO packets with password and log encryption key. It
takes less than a second to crack the password on average
Pentium. If you're low on CPU resources you should say no (0)
here.
ignorehost string
If set to anything else than "NONE", fakebo will ignore
connections from the specified host.
userealfakebo boolean
If set, fakebo will use its built-in RealFake(tm) BO server to
properly emulate responses to the BO client, and hopefully
REALLY confuse them... Don't worry, it may look real, but it is
as harmless as a crax0r using a windoze box.
CUSTOM REPLIES
When option usecustomreplies is set in the configuration file and
RealFakeBO either fails or is configured out, fakebo will send the
contents of a file in reply to each command. The name of the file is
obtained by appending the hexadecimal value of the command to the
prefix specified in parameter customrepliespath. For example: let's
say you set customrepliespath to "/etc/fakebo/reply." and you want to
have a special answer when the attacker issues the command "get System
Information" (hex value 04). Then you just have to write your message
in /etc/fakebo/reply.04... and keep watching the confused attacker.
;-)
Don't forget to make these files readable by the user owning the fakebo
process (user parameter in the configuration file).
The hex values associated with the commands are:
02 System Reboot
03 System Lock Up
04 List System Passwords
05 View Console
06 Get System Information
07 Log Pressed Keys
08 Send KeyPress Log
09 Show A Dialog Box
0A Delete A Value from The Registry
0B Create TCP redirection (proxy)
0C Delete TCP redirection
0D List TCP redirections
0E Start Application
0F End Application
10 Export a share resource
11 Cancel share export
12 Show Export List
13 Resend Packet
14 Enable HTTP Server
15 Disable HTTP Server
16 Resolve Host Name
17 Compress a File
18 Uncompress a File
19 Plug-in execute
1A (unknown)
1B (unknown)
1C (unknown)
1D (unknown)
1E (unknown)
1F (unknown)
20 Show active processes
21 Kill a process
22 Start a process
23 Create a key in the registry
24 Set the Value of a key in registry
25 Delete a key in registry
26 Enumerate registry keys
27 Enumerate registry values
28 Capture a static image
29 Capture a video stream
2A Play a sound file
2B Show Available Video capture devices
2C Capture the screen to a file
2D Start sending a file using TCP
2E Start receiving a file using TCP
2F List (running) plug-ins
30 Kill Plugin
31 List directory
32 (unknown)
33 (unknown)
34 Find a file
35 Delete a file
36 View file contents
37 Rename a file
38 Copy a file
39 List all network devices
3A Connect to network resource
3B End connection of a network resource
3C Show NetWork Connections
3D Create Directory (folder)
3E Remove directory
3F Show Running Applications
FILES
/usr/local/etc/fakebo.conf
Default configuration file.
AUTHORS
The original author and current maintainer of fakebo is Vlatko
Kosturjak - KoSt <kost@iname.com>, <http://surf.to/kost>
Code, ideas, spelling... were contributed by (in completely random
order): Robert Avilov - DryLLaR <ravilov@barok.foi.hr>, Edgar Bonet
Orozco <edgar@bonet.polycnrs-gre.fr>, Olaf Tuinder
<olaf@warserver.warande.uu.nl>, Hans Jorgensen <borisj@get2net.dk>,
Sinisa Lolic <vegi@usa.net>, Marcus Herbert - rhoenie
<rhoenie@rhohost.chillout.org>, Jwit <jwit@sinnerz.com>, Folkert van
Heusden <flok99@dds.nl> and Bjoern Bendix <bbendix@primusnetz.de>,
Dezso E. Moldvai - MDE <mde@thepentagon.com>, Mike Kershaw
<dragorn@melchior.nerv-un.net>, c.o.d @ WLU, Wolfram Kleff
<wkleff@bigfoot.com>, Michiel Steltman <Michiel.Steltman@siennax.com>,
Doug Schieferstine <doschie@global2000.net>, Javi Polo
<javipolo@infomail.lacaixa.es>, Jochem Wichers Hoeth
<wiho@chem.uva.nl>, Ian Kumlien <iank@smi.mas.lu.se>, Miodrag Vallat
<miodrag@multimania.com>, Norman Meilick <alvin@gmx.de>, J. Padfield
<olorin@netlink.com.au>, Marc Quinton <Marc.Quinton@stna.dgac.fr>, Dop
Ganger <dop@fop.ns.ca>, Michael <nouse@gmx.de>, Ian Bishop
<ibishop@globec.com.au>, Groovy Pants Gus <gus@SB7.YOONIX.NET>, Gerald
Swann <gswann@pompano.pcola.gulf.net>, Eric Hedberg
<hedberge@gridley.acns.CARLETON.edu>, Gregory T. Norris
<haphazard@socket.net>, Robert Szarka <szarka@downcity.net>, Michel
Arboi <arboi@bigfoot.com>, David Grant <dave@reach.net>, Scott Edwards
<scott.edwards@iname.com>, Martin Kammerhofer <dada@sbox.tu-
graz.ac.at>, Michel Kaempf <maxx@via.ecp.fr>, Chris Knipe
<savage@savage.za.org>, Justin Wienckowski <jwiencko@vt.edu>, Daniel P.
Stasinski <dannys@karemor.com>, Larry Reckner <larryr@Capital.NET>,
Ivan Brozovic <ibrozovi@linux.hr>, Dobrica Pavlinusic <dpavlin@foi.hr>
and others...
COPYRIGHT
Copyright (C) 1999 Vlatko Kosturjak.
fakebo is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
fakebo is distributed in the hope that it will be useful, but without
any warranty; without even the implied warranty of merchantability or
fitness for a particular purpose. See the License for more details.
You should have received a copy of the GNU General Public License along
with fakebo; see the file COPYING. If not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
AVAILABILITY
The most recent released version of fakebo is always available from
<http://cvs.linux.hr/fakebo/>
Linux May 1999 fakebo(1)