fakebo(1)                    UNIX Reference Manual                   fakebo(1)

       fakebo - fake Back Orifice and NetBus trojan server

       fakebo [ -dihbav ] [ -c config_file ]

       This file documents version 0.4.1 of fakebo, the fake Back Orifice (BO)
       and NetBus server for Linux and other Unices.

       Have you ever wanted to know who is trying to access your computer with
       Back Orifice or NetBus? This program fakes these trojan servers and
       logs every connection from their clients. Connections can be logged to
       a file, to stdout, to stderr or to syslog.  fakebo can also send fake
       pings and replies back to the trojan client.

       fakebo can emulate a BO server with three possible levels of realism:

              If the option userealfakebo is turned on in the configuration
              file, fakebo will do its best to emulate a real BO server.

       Custom replies
              If the option usecustomreplies is turned on, fakebo will send to
              the client a different message for each type of incoming packet
              received. The messages sent in replies are specified by the user
              in separate files (see section CUSTOM REPLIES).  If RealFakeBO
              is turned on, custom replies will not be used unless the built-
              in RealFake server fails to produce a reply.

       Fixed reply
              If both previous methods either fail or are configured out,
              fakebo will send to the client the message specified under
              bomessage in the configuration file, whatever the incoming
              packet may be.

       You may want to auto start fakebo when you connect to the Net via PPP.
       To do that, just put "fakebo" in /etc/ppp/ip-up, and it will run fakebo
       when PPP is activated. Don't forget to put something like "killall
       fakebo" in /etc/ppp/ip-down...

       -c config_file
              Path to the configuration file. If this option is omitted,
              fakebo will search a file named fakebo.conf in the following
              directories: /etc, /usr/local/etc, $HOME and .  (the current

       -v     Turn on verbose logging.

       -d     Print to stderr the configuration parameters. This option is for
              debugging purposes.

       -i     Log the BO packet numbers together with their description,
              otherwise only the description is logged. This option is for
              debugging purposes.

       -b     Start fakebo as a daemon. When started with this option, fakebo
              closes all file descriptors, disassociates itself from the
              controlling terminal and puts itself in the background.

       -a     Print an "about" message and exit.

       -h     Print a short summary of options and exit.

       The configuration file is a simple plain text file.  Lines beginning
       with `#' and empty lines are treated as comments. Each command is a
       couple keyword value.  Values can be either strings (enclosed in double
       quotes unless otherwise stated), integers or booleans. A boolean is an
       integer which can be 0 (zero) for turning the option off or 1 for
       turning it on.

       user string
              If fakebo is started by root, it will su to the user specified
              here after opening the log file. This is intended to avoid
              compromising the system, should the program have any security
              hole. If custom replies are used, the user owning the fakebo
              process must have read access to the files containing the

       boport integer
              The UDP port to listen for BO connections. The default port is
              31337, it is also the default port in BO itself. In fact, boport
              can also be the name of an UDP port (as defined in
              /etc/services) without quotes.

       nbport integer
              The UDP port to listen for NetBus connections.

       startasdaemon boolean
              Start fakebo as a daemon. This has the same effect as the -b

       bofakever string
              Fake BO version (not longer than 10 characters).  it's used for
              sending BO version when sendfakereply is on.  Now you can fool
              attacker that you have a computer infected with a newer version
              of BO... ;)

       nbfakever string
              Fake NetBus version (not longer than 10 characters). This is
              sent to the client in the greeting message.

       bomessage string
              Message which will be sent to BO client if both RealFakeBO or
              custom replies either fail or are configured out.

       nbmessage string
              Message which will be sent to NetBus client when accessed.

       logfile string
              File where all attempts are logged (full path). stdout stands
              for STandarD OUTput, stderr stands for STandarD ERRor.

       user string
              user who should own the process if started by root

       logconnection boolean
              If you want to log IP where it comes from and what type of
              packet is.

       logreceivedpackets integer
              There are 5 possible values (0, 1, 2, 3, 4) for logging received
              packets: 0: do not log, 1: log only command 2: log command &
              data fields (most common) 3: log command, data and header fields
              (for debugging purposes).  4 - log packet hex dump, along with
              everything from above

       logsendingpackets integer
              There are 4 possible values (0, 1, 2, 3) for logging packets to
              send: 0: do not log, 1: log only command, 2: log command & data
              fields (most common), 3: log command, data and header fields
              (for debugging purposes).

       lognotbopackets boolean
              If you want to log contents of non-BO packets.

       sendfakereply boolean
              If you want to send fake replies to pings from the client (it
              will display a message as if you had BO).  Very useful to set
              when somebody sweeps your domain and you want him to believe
              that you have BO server installed.

       machinename string
              Used for fake ping replies for forming fake ping packet. This
              must be a single word.

       logtimeanddate boolean
              Log time and date of received packet.

       silentmode boolean
              Make it silent.  If this option is set fakebo will not answer
              the message back to BO client.  Note that pings will still be
              replied back to the client. Turn off sendfakereply if you want
              to make fakebo completely silent (very useful if you don't want
              that public knows that their activity is logged).

       bufferedlogging boolean
              This option is used for turning on or off buffered output to log
              file.  fakebo runs a little faster if buffering is on. I
              recommend not to use buffering.

       logtosyslog integer
              May be: 0: do not log via syslog, 1: log via syslog, 2: log via
              syslog verbosely.

       toexecutescript boolean
              If you set this option, fakebo will execute the program which
              you specify under parameter executescript (see below) when it
              receives the BO packet.  It is a sort of plug-in, so you can do
              everything you want with his IP. You can for example run whois,
              finger, traceroute or something else, but putting nuke, or land
              or some similar attack in the script is not very smart (then
              you're like the one attacking you!)

       executescriptshell string
              Path to the shell that will be used to expand command line
              parameters when running a custom script. The shell must accept
              the `-c' option.

       executescript string
              This parameter is only used when toexecutescript is set.  In
              this case, fakebo will execute the command line you specify
              here. A `!' in the command line will be replaced by the IP of
              the attacker. If you want to insert a literal `!', you have to
              type `\!'. You can put here several commands separated by a `;',
              like in the shell.  Likewise, a `%' will be replaced by the text
              `backorifice' or `netbus', depending upon which trojan
              originated the attack.

       usecustomreplies boolean
              With this you can specify for every BO command a different
              answer to the attacker. It's very useful if you want to make him
              believe he is doing everything right.  Note: if option
              silentmode is on, this parameter is ignored.  See the next
              section for details on custom replies.

       customrepliespath string
              For every client command you can specify a different answer to
              the attacker.  You just have to make the text file for every
              command.  The hexadecimal identification of the command is added
              to the path.  If option usecustomreplies is off, this parameter
              doesn't have any effect.  If the file for some command cannot be
              found, then a generic message is used (message parameter).

       tocrackpackets boolean
              Try to crack BO packets with password and log encryption key. It
              takes less than a second to crack the password on average
              Pentium. If you're low on CPU resources you should say no (0)

       ignorehost string
              If set to anything else than "NONE", fakebo will ignore
              connections from the specified host.

       userealfakebo boolean
              If set, kakebo will use its built-in RealFake(tm) BO server to
              properly emulate responses to the BO client, and hopefully
              REALLY confuse them... Don't worry, it may look real, but it is
              as harmless as a crax0r using a windoze box.

       When option usecustomreplies is set in the configuration file and
       RealFakeBO either fails or is configured out, fakebo will send the
       contents of a file in reply to each command.  The name of the file is
       obtained by appending the hexadecimal value of the command to the
       prefix specified in parameter customrepliespath.  For example: let's
       say you set customrepliespath to "/etc/fakebo/reply." and you want to
       have a special answer when the attacker issues the command "get System
       Information" (hex value 04).  Then you just have to write your message
       in /etc/fakebo/reply.04...  and keep watching the confused attacker.

       Don't forget to make these files readable by the user owning the fakebo
       process (user parameter in the configuration file).

       The hex values associated with the commands are:

       02     System Reboot

       03     System Lock Up

       04     List System Passwords

       05     View Console

       06     Get System Information

       07     Log Pressed Keys

       08     Send KeyPress Log

       09     Show A Dialog Box

       0A     Delete A Value from The Registry

       0B     Create TCP redirection (proxy)

       0C     Delete TCP redirection

       0D     List TCP redirections

       0E     Start Application

       0F     End Application

       10     Export a share resource

       11     Cancel share export

       12     Show Export List

       13     Resend Packet

       14     Enable HTTP Server

       15     Disable HTTP Server

       16     Resolve Host Name

       17     Compress a File

       18     Uncompress a File

       19     Plug-in execute

       1A     (unknown)

       1B     (unknown)

       1C     (unknown)

       1D     (unknown)

       1E     (unknown)

       1F     (unknown)

       20     Show active processes

       21     Kill a process

       22     Start a process

       23     Create a key in the registry

       24     Set the Value of a key in registry

       25     Delete a key in registry

       26     Enumerate registry keys

       27     Enumerate registry values

       28     Capture a static image

       29     Capture a video stream

       2A     Play a sound file

       2B     Show Available Video capture devices

       2C     Capture the screen to a file

       2D     Start sending a file using TCP

       2E     Start receiving a file using TCP

       2F     List (running) plug-ins

       30     Kill Plugin

       31     List directory

       32     (unknown)

       33     (unknown)

       34     Find a file

       35     Delete a file

       36     View file contents

       37     Rename a file

       38     Copy a file

       39     List all network devices

       3A     Connect to network resource

       3B     End connection of a network resource

       3C     Show NetWork Connections

       3D     Create Directory (folder)

       3E     Remove directory

       3F     Show Running Applications

              Default configuration file.

       The original author and current maintainer of fakebo is Vlatko
       Kosturjak - KoSt <kost@iname.com>, <http://surf.to/kost>

       Code, ideas, spelling... were contributed by (in completely random
       order): Robert Avilov - DryLLaR <ravilov@barok.foi.hr>, Edgar Bonet
       Orozco <edgar@bonet.polycnrs-gre.fr>, Olaf Tuinder
       <olaf@warserver.warande.uu.nl>, Hans Jorgensen <borisj@get2net.dk>,
       Sinisa Lolic <vegi@usa.net>, Marcus Herbert - rhoenie
       <rhoenie@rhohost.chillout.org>, Jwit <jwit@sinnerz.com>, Folkert van
       Heusden <flok99@dds.nl> and Bjoern Bendix <bbendix@primusnetz.de>,
       Dezso E. Moldvai - MDE <mde@thepentagon.com>, Mike Kershaw
       <dragorn@melchior.nerv-un.net>, c.o.d @ WLU, Wolfram Kleff
       <wkleff@bigfoot.com>, Michiel Steltman <Michiel.Steltman@siennax.com>,
       Doug Schieferstine <doschie@global2000.net>, Javi Polo
       <javipolo@infomail.lacaixa.es>, Jochem Wichers Hoeth
       <wiho@chem.uva.nl>, Ian Kumlien <iank@smi.mas.lu.se>, Miodrag Vallat
       <miodrag@multimania.com>, Norman Meilick <alvin@gmx.de>, J. Padfield
       <olorin@netlink.com.au>, Marc Quinton <Marc.Quinton@stna.dgac.fr>, Dop
       Ganger <dop@fop.ns.ca>, Michael <nouse@gmx.de>, Ian Bishop
       <ibishop@globec.com.au>, Groovy Pants Gus <gus@SB7.YOONIX.NET>, Gerald
       Swann <gswann@pompano.pcola.gulf.net>, Eric Hedberg
       <hedberge@gridley.acns.CARLETON.edu>, Gregory T. Norris
       <haphazard@socket.net>, Robert Szarka <szarka@downcity.net>, Michel
       Arboi <arboi@bigfoot.com>, David Grant <dave@reach.net>, Scott Edwards
       <scott.edwards@iname.com>, Martin Kammerhofer <dada@sbox.tu-
       graz.ac.at>, Michel Kaempf <maxx@via.ecp.fr>, Chris Knipe
       <savage@savage.za.org>, Justin Wienckowski <jwiencko@vt.edu>, Daniel P.
       Stasinski <dannys@karemor.com>, Larry Reckner <larryr@Capital.NET>,
       Ivan Brozovic <ibrozovi@linux.hr>, Dobrica Pavlinusic <dpavlin@foi.hr>
       and others...

       Copyright © 1999 Vlatko Kosturjak.

       fakebo is free software; you can redistribute it and/or modify it under
       the terms of the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

       fakebo is distributed in the hope that it will be useful, but without
       any warranty; without even the implied warranty of merchantability or
       fitness for a particular purpose.  See the License for more details.

       You should have received a copy of the GNU General Public License along
       with fakebo; see the file COPYING.  If not, write to the Free Software
       Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307

       The most recent released version of fakebo is always available from

Linux                              May 1999                          fakebo(1)