FAQ

1. What is NOBO?

See http://web.cip.com.br/nobo/nobo_en.html.

2. What is Back Orifice (or "BO")?

See http://web.cip.com.br/nobo/bo_en.html.

3. Where can I obtain NOBO?

NOBO is available for download on its site, http://web.cip.com.br/nobo/>.

4. How much does NOBO cost?

NOBO is free. It cost nothing.

5. Can I copy NOBO to another computer? Can I distribute it?

Yes.

6. Is the source code of NOBO available?

No.

7. What's the secret behind NOBO? Why not make the sources available?

There's no such secret. The source code of NOBO isn't available because it contains some routines that can't be made available. However, apart from the Windows programming (and I don't believe that anyone wants the source just because they want to learn how to program on this OS, as there are zillions of source code of programs for Windows available on the net), it rest the code related to BO packet interception and decryption that can be derived from the BO protocol specs.

8. Does NOBO run on Windows NT

Although it wasn't tested on this platform, some users reported that it works after giving some error messages.

9. NOBO complains that it could not find the port (or the like) and doesn't work. What's going on here?

Probably there's already another server listening on the port that NOBO tried to bind on. And probably it's Back Orifice. Get a BO removal program a use it!

10. To whom/how should I complain if someone use the BO client against my machine?

Normally there's no much things to do. You can try to contact the system administrator of the network where the packet came from and tell him/her what happened.

11. So how do I get the system administrator of the network where the packet came from?

That isn't easy although not impossible. The first hint can be given by NOBO itself; when it shows you the IP address, it tries to discover the computer name from where the packet name. If it succeeds, it shows you this name beside de address. With this name it may be possible do discover the author of the attack, or his/her network provider.

12. Someone sent me NOBO but it got stuck complaining it's corrupted. What in earth is going on here, man?

NOBO implements a executable check up before start running. If the executable is not in a state the program expects it to be, it simply will refuse to work. This check is to avoid people sending BO attached to NOBO. Notice that the corruption check is very silly and can easily be bypassed. In doubt, grab a fresh NOBO from its original site, http://web.cip.com.br/nobo/.

13. Does NOBO have a backdoor? When I run the netstat command from Windows, it says that the BO port (31,337) is open. Why?

NOBO does not have a backdoor. When you run NOBO, it opens the BO port just to receive BO packets destined to your machine. That's why you're seeing the port open on netstat.

14. What's the standard message?

"The user at this address isn't running Back Orifice but NOBO, a BO detector. Unfortunately your IP address has been logged. You can find more information about NOBO at http://web.cip.com.br/nobo/".

15. I'm running NOBO. Am I protected?

No. NOBO isn't a protection against BO. Despite of the fact that it opens the BO port, and with this BO won't be able to run, creating a kind of "protection", this isn't a warranty of protection. In doubt, grab a BO detection/removal program an use it!

16. I received a BO "packet". Was my machine invaded?

No. But someone tried to, he/she didn't succeed, and you were warned about the fact. That's NOBO in action.

17. By opening the BO port (31,337), isn't NOBO making my machine more vulnerable?

As said somewhere else in this FAQ, only one program can open the same port at a time. This mean that with NOBO opening the port 31,337 you can even consider yourself more protected.

18. Why not open all ports?

This is possible but not viable. In addition to the use of a substantial amount of resources from the operating system, this would bring problems to others network services of Windows.

19. Why not allow NOBO to open more that a port at the same time?

When NOBO was developed, the distribution of BO was done using only one port (31,337). At this moment there isn't demand for NOBO to allow you to open more that one port, but as soon as this demand exist, NOBO will follow the market.

20. Are there ports of NOBO to other operating systems?

I have plans of doing a Unix version. I believe that when a make the BO protocol specs available (what will be done soon), other people would feel encouraged to develop a NOBO-like thing in another language, to another OS. A Java version of NOBO would be very nice.

21. Is there a plans of doing a NOBO for NetBus (NONetBus?)?

No plans. There's the possibility, tough, but no plans.

I've heard about a program similar to NOBO, but which detects NetBus connections. I was not able to test it yet, but some users told me it does work. The program is called NetBuster and can be obtained on the URL http://surf.to/netbuster/.

22. I did run a program which claims do detect BO and it detected it on my machine. But I'm running NOBO! Is NOBO BO?

No... If your BO detection program works by sending BO packets to your own machine expecting replies, and NOBO is configured to send replies, it's possible that the your program may be thinking that NOBO is BO.

If this is the case, disable NOBO temporarily while you run the BO detection program.

23. Why would I want NOBO send fake PING replies?

This was the most requested feature by 1.1 users. I guess they wanted to make the BO client user think you're running the BO server, so your can see the next operation he/she would try.

24. How do I make NOBO run without a icon in the task bar?

Run it with a "/noicon" parameter (e.g. "NOBO.EXE /noicon").

25. Why sometimes NOBO shows me the correct computer name which is attacking me, but another times it show me things like "DEFAULT", "P166" or "SMITH"?

This is (in my opinion) a bug in Windows. The fact is that NOBO knows the IP address of the machine from where the packet came, and with this address in hands, it ask Windows to give back the computer name associated with this address. As NOBO works on the "Internet family" (AF_INET, for the programmers), Windows should return the domain name as expected from a DNS query. However, Windows seems to do a "alternate name resolution" which tries to find the computer name used by the Microsoft Network (Lan Manager, Samba, NetBEUI, etc., what in earth MS calls it). When this kind of "alternate resolution" succeeds, Windows gives the "strange" name to NOBO.

By the way, I would like to put here a question to Windows programmers: if you know how to do the function gethostbyaddr(..., AF_INET) to return what it's supposed to return (remember: AF_INET), please let me know!

26. I was sweeping a network just to find people running the BO server. My intentions were good; when I found a infected machine I was going to warn the user and help him/her on removing the server. However I received a message from you indicating NOBO, and the message said that you were going to delate me to my Internet provider, that I was going to go to jail, and even said some crap about me. Why did you do that your piece of s*?

Firstly, it was not me who send that message. It was the NOBO user.

And since it seems you don't know NOBO, I'll explain to you what it does: the program allows the user to configure a message which will be sent back to BO client when it tries to "invade" the machine in question. The user can set up the message any way he/she likes, be a poem, an aggressive message, or even not so nice words. This mean that I DO NOT HAVE ANYTHING TO DO WITH THAT MESSAGE! If it was said to you that your IP was logged, that your network provider were going to be notified, that you were going to be arrested, or if you saw some four-letter word, or a poem, etc., it was the user running NOBO that configured it to reply in this way.

At second place, your intention may be good when you "enter" on other's machine just to warn the user on the vulnerability but, in my opinion, the method isn't. When you invade alien property without permission, even with good intentions (if it's true that there can be good intentions in an invasion), you're committing a grave fault. At least you can be charged with privacy invasion. Further on you can be charged with theft.

An analogy of the use of BO with "good intentions" can be done this way: you're walking on a street, see a semi-opened window, passes it by, and tell the person inside he/she forgot to close the window.

Definitively this isn't nice.

If you really want to help people to protect against BO, write a program, build a web site with information about how to detect/remove the server, tell people about the danger of executing code (programs) that comes from the network, etc. Remember: only the bad guys enter on windows; good guys always knock on the front door. :-)

27. I've sent you my log file generated by NOBO in hope you were going to do something with that information and give me some feedback, but I didn't hear a word about it from you yet. Why?

You should not send me your NOBO log file in hope I'll take any measures about it. If you want to notify the system(s) administrator(s) of the network the "attack" came from, I'm willing to help you, but I can't (and shouldn't) start a complaint by myself just because I really didn't have anything to do directly with that "attack".

Please, see the question about how to complain about "attacks", located elsewhere in this FAQ.

28. Does NOBO go in action automatically when I log on the Internet or do I need to run it manually?

You'll need to run it manually. An alternative may be to create a shortcut to the NOBO executable on the "StartUp" group, which will make the program run automatically when you start Windows. If you prefer, use the "/noicon" parameter on the command line so that the NOBO icon will not show up on the task bar.

29. How do I obtain the e-mail address associated with the IP NOBO gave me?

This isn't possible. From the "intruder" IP address you can get at maximum the host name associated with that address, but even this may not be possible.