How to Spot a Serious Attack
Let's start with a totally obvious bad news attack, as
shown in Figure 3. This shows two attempts to connect with a hoped-for Back
Orifice server on my computer. Back Orifice is a Windows break-in program
written by members of the Cult of the Dead Cow. According to spokesman
Grandmaster Rat, "Even an eight year old can use it to break into computers."
How do we know what kind of attack this is? With ZoneAlarm
you can always click on "More Info." This will take you to their web site,
which tells you more about the kind of attack. You can learn more from
Appendix 1. It has a list of ports used by back doors (which are programs like
Back Orifice that allow people to sneak into your computer), as well as other
common ports.
Geek note: "UDP port 31337" refers to the protocol and
anticipated back door through which the attacker is trying to break in. UDP
stands for "user data protocol," one of the two main ways information is
transported over the Internet. "Port" refers to the fact that when a computer
connects to the Internet, there are a total of 65,536 ways for various server
and client programs to connect to each other. Each of these ways is known as a
port. For example, normally web servers, which run Internet web sites, require
that your web browser connect to it on port 80. If your computer has a Back
Orifice Trojan running on it, usually it will let someone break into your
computer by connecting to port 31337.
So, does Figure 3 mean that you have Back Orifice on your
computer and the bad guy has decided to drop in and have some fun? Probably
not. Chances are she's just searching at random for someone infected by that
Trojan. Even if you get probed several times by the same haxor, it doesn't
necessarily mean that individual specifically wants to get you. Most Back
Orifice hunters are just plain Peeping Toms. It doesn't matter whose life he
peeps into. For someone who has no life, anyone else's life is more
interesting.
