Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Can I Tell If My Computer Is Part of a Botnet?

timothy posted more than 5 years ago | from the check-if-you-are-running-windows dept.

Security 491

ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"

cancel ×

491 comments

Sorry! There are no comments related to the filter you selected.

Well the only fool proof way... (5, Informative)

ls671 (1122017) | more than 5 years ago | (#28978743)

Well the only fool proof way that I can envision is the following

1) Plug you father computer into a HUB ( not a switch, unless it has a special port for this usage)

2) Plug the router into this HUB

3) Plug a Linux machine into the HUB and use tcpdump to examine traffic.

This is what security experts do.

Re:Well the only fool proof way... (5, Informative)

jspenguin1 (883588) | more than 5 years ago | (#28978793)

You can also use a host with two interfaces and set up bridging or routing with NAT. If you are running custom firmware you can do this straight on the router itself.

Re:Well the only fool proof way... (4, Interesting)

ls671 (1122017) | more than 5 years ago | (#28978947)

Agreed, I do it from my Linux router which I assume is not owned.

It is nevertheless better to reserve a machine on your network for just this usage. Nothing installed on it but tcpdump and similar tools. You should even disconnect than machine from the network when not in use. Again, that's what security expert firms do.

The important point is to be confident than what you are looking at is not coming from something that is already owned. Many root kits modify netstat, tcpdump and the like... ;-)

Solaris does this automatically (4, Interesting)

JohnnyComeLately (725958) | more than 5 years ago | (#28979433)

I remember from my Sun Solaris 8 network or sys admin class that they said the system will automatically configure itself as a gateway between two network cards. When my son gets old enough to start surfing on his own, it's what I intend to do. I've got an old Solaris 8 machine on an Ultra 10. I can put it out in the garage (next to the cable modem) and have it be a physical hop between the cable modem and Dual Band WiFi router.

Re:Well the only fool proof way... (1, Informative)

Anonymous Coward | more than 5 years ago | (#28978797)

Or just use netstat

Re:Well the only fool proof way... (0)

Anonymous Coward | more than 5 years ago | (#28978827)

Rootkits can hide it.

Re:Well the only fool proof way... (5, Informative)

ls671 (1122017) | more than 5 years ago | (#28978847)

netstat could be modified not to report the botnet connections if you are owned, hence the fool proof solution.

Re:Well the only fool proof way... (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28979249)

I agree with your theory, however in practice, a hacker clearly has several million low hanging fruits running unpatched xp with antivirus which expired 60 days after the computer was purchased in 2006.

The idea that a botnet is really going to worry about the fraction of the fraction of a percent that knows about netstat seems improbable, though obviously not impossible, which is why I agree with you in theory, but in practice netstat would probably answer his question when a hub and a linux box is inconvenient. If someone has an example of a virus masking its connections through netstat I would both eat crow and be interested to hear it.

Re:Well the only fool proof way... (5, Informative)

neowolf (173735) | more than 5 years ago | (#28978933)

The hard part nowadays (although maybe not a problem in India) is actually finding a HUB. It is very difficult to actually buy a hub anymore, and most "hubs" sold in the US anyway are actually low-end unmanaged switches, so you can't sniff traffic on them.

In answer to the question though (I'm sure redundant at this point) is: YES- they are probably part of at least one bot-net, and are probably infected with all sorts of other nastiness. The best thing to do is re-secure the wireless router, and the all-too-often-recommended reformat and re-install of Windows. I wouldn't even try to salvage the current installs at this point.

Re:Well the only fool proof way... (5, Informative)

sofar (317980) | more than 5 years ago | (#28979063)

You don't need a HUB at all. Linux bridging allows you to use two ports on a system 'as a HUB', while still providing you with the ability to tcpdump a port on the bridge. You just add both interfaces to your bridge and stick the linux bridge in between the real router and the infected machine. Only thing needed is a linux system with 2 physical ethernet ports.

Re:Well the only fool proof way... (0)

Anonymous Coward | more than 5 years ago | (#28979175)

You don't need 2 NICs. You can easily use only one with virtual ethernets. The inbound and outbound will be different interfaces but will use the same hardware.

Re:Well the only fool proof way... (2, Informative)

dotgain (630123) | more than 5 years ago | (#28979389)

Then you'll need a switch supporting 802.1q in order to allow a device with a single port to 'sit between' two other devices.

Re:Well the only fool proof way... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28979187)

Actually you can do it with just one physical interface, isn't too hard.

Re:Well the only fool proof way... (1)

ls671 (1122017) | more than 5 years ago | (#28979225)

Yeah, this works too, not as effective in order to snoop-in without being detected, hmmm. I mean without disrupting normal business operation but it would work for his computer father.

Dedicated port on switches are more standard for security audits. You just plug a laptop with one network interface on it et voila.

Also, routing traffic through your Linux changes something to the network topology so you are actually interfering with the network compared to stealthily listening.

Re:Well the only fool proof way... (1)

sofar (317980) | more than 5 years ago | (#28979349)

if you're paranoid, sure. Don't use this method to 'snoop' data where you are not allowed.

For a sysadmin, this is a great way to isolate a machine without touching it. I doubt a botnet is smart enough to detect MAC address changes...

Re:Well the only fool proof way... (1)

ls671 (1122017) | more than 5 years ago | (#28979095)

Then you are stuck with buying a slightly more expensive switch with a special broadcast (HUB like) port designed for just this usage. Many have those. Most corporate switches have them in order to enable security audits or other network surveillance tools.

Force a failover (0)

Anonymous Coward | more than 5 years ago | (#28979111)

Most low-end switches will *become* hubs when you start shoving enough traffic through them that they can't queue it anymore. Fill up the ARP tables with crap really rapidly while transmitting, and they'll fail into dumb broadcast...

Re:Force a failover (1)

dotgain (630123) | more than 5 years ago | (#28979415)

Hardly a reliable or controlled test, relying on undefined behaviour of your 'switch'. In the process of confusing your ARP tables, you'll more likely prevent frames from reaching the correct destination: the router. You've either got a monitor port, or you haven't. You can't 'make' one by confusing the hell out of a cheap switch.

Re:Well the only fool proof way... (1)

RetroGeek (206522) | more than 5 years ago | (#28979119)

You can always use a splitter. It has one male and two female ends [shopping.com] .

Can't find one? Then splice some Cat wire together [instructables.com]

Re:Well the only fool proof way... (1)

GravityStar (1209738) | more than 5 years ago | (#28979455)

This actually behaves as a multiplexer. You can transmit 2 ethernet signals on one ethernet wire, but you'll have to have another splitter at the other end of the ethernet wire.

Bottomline, this doesn't help as a replacement for a hub.

Re:Well the only fool proof way... (0)

Anonymous Coward | more than 5 years ago | (#28979233)

The hard part nowadays (although maybe not a problem in India) is actually finding a HUB. It is very difficult to actually buy a hub anymore, and most "hubs" sold in the US anyway are actually low-end unmanaged switches, so you can't sniff traffic on them.

But making a passive ethernet tap [winids.com] isn't that hard.

Re:Well the only fool proof way... (2, Interesting)

bpfinn (557273) | more than 5 years ago | (#28979367)

You could also get a network tap. I've had my eye on the Teeny Tap [netoptics.com] for a while.

Re:Well the only fool proof way... (5, Informative)

endikos (195750) | more than 5 years ago | (#28978951)

Or they use a "real" switch that has port mirroring, or a passive ethernet tap [sun.com] .

Re:Well the only fool proof way... (1)

ls671 (1122017) | more than 5 years ago | (#28979305)

>> 1) Plug you father computer into a HUB
>> ( not a switch, UNLESS it has a SPECIAL PORT for this usage)

> Or they use a "real" switch that has port mirroring, or a passive ethernet tap [sun.com].

Thanks ! ;-)))

Re:Well the only fool proof way... (5, Funny)

iamhigh (1252742) | more than 5 years ago | (#28978965)

Well the only fool proof way

If that sentence doesn't end with "from orbit" and have "nuke it" in there somewhere it just isn't true!

Re:Well the only fool proof way... (1)

Murpster (1274988) | more than 5 years ago | (#28979151)

Well the only fool proof way to make popcorn is to nuke it. To see if your computer is part of a botnet, just run the totally amazing software from FinallyFast.com. I've heard that iamhigh is Mario Dinis and there's proof of him fucking his sister Lucy in some photos taken by an ISS astronaut in orbit. Better?

Re:Well the only fool proof way... (0)

Anonymous Coward | more than 5 years ago | (#28979261)

Nope. He said "from orbit", not "in orbit."

Re:Well the only fool proof way... (1)

ls671 (1122017) | more than 5 years ago | (#28979375)

Did you read my sign ?

Re:Well the only fool proof way... (1, Informative)

Algorithmn (1601909) | more than 5 years ago | (#28978999)

I use Wireshark or custom monitoring tools and not TCPDump. http://video.google.com/videoplay?docid=4204600308807371535&hl=en [google.com] "Automated Web-based Malware Behavioral Analysis" from the OWASP AppSec conference circa 2008.

Re:Well the only fool proof way... (5, Funny)

Anonymous Coward | more than 5 years ago | (#28979181)

Did you know that both wireshark and tcpdump use libpcap? Wireshark has a pretty GUI, tcpdump is the command line version.

Perhaps it would help if I explained that in video format.

Captcha was "obvious", this is unnerving.

Re:Well the only fool proof way... (1)

Drakin020 (980931) | more than 5 years ago | (#28979035)

Heck why can't you just run Ethereal on the local PC and just monitor what comes and goes from the local interface?

Re:Well the only fool proof way... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28979103)

No need for a hub, use ARP spoofing instead.

Re:Well the only fool proof way... (1)

Sam36 (1065410) | more than 5 years ago | (#28979239)

Using a hub? UGH. Just use ettercap. I use it all the time on public wifi's

Re:Well the only fool proof way... (1)

gad_zuki! (70830) | more than 5 years ago | (#28979253)

Or use a real switch with a port mirroring option. Or use wireshark installed locally. Regardless, this is remote support so he'll probably have to use some local options and the linksys log, netstat, etc. If he can manage a capture with wireshark then he's 99% of the way there.

Re:Well the only fool proof way... (0)

Anonymous Coward | more than 5 years ago | (#28979259)

I would suggest to instead install a packet capture program, such as Wireshark. Your father may have some software on his machine that may initiate communications on a legitimate basis (like software that updates itself, etc). Another tip would be to just simply click the network connection and see if the outbound traffic is incrementing at a high rate (which may be skewed if you are remoted into the machine at the time). Perhaps you could give him instructions while not remoted in, and see if there are any significant increases. While these methods aren't completley foolproof, I would think that it's a good start.

Another suggestion would be to run Malwarebytes, HijackThis, or Spybot Search & Destroy.

There are multiple ways of skinning this cat, and I'm quite sure that you will get many posts with even better ideas. I'm just trying to take a simplistic approach, versus getting a hub, sniffer, and a promiscuous nic up & running.

Re:Well the only fool proof way... (1)

krappie (172561) | more than 5 years ago | (#28979281)

Are we assuming that the packets will be obvious IRC packets or something? It would be suggestive of a botnet if lots of traffic was moving while the computer was idle, but that could always be background programs downloading updates or whatever. If a botnet used any sort of encryption, or even a binary protocol instead of ascii, it could be extremely difficult to tell it's a botnet by just looking at packets.

Re:Well the only fool proof way... (1)

dmeredith63 (1168051) | more than 5 years ago | (#28979361)

Actually "security experts" don't need a hub...just flood the switch with packets and the switch will down grade itself to a hub...then in your filters remove the packets that you used to flood the switch....IMO -SuperDale

Re:Well the only fool proof way... (1)

adamchou (993073) | more than 5 years ago | (#28979369)

Why not just tcpdump from the father computer or use something like wireshark?

Re:Well the only fool proof way... (4, Funny)

taskiss (94652) | more than 5 years ago | (#28979387)

Is a father computer anything like a mother board?

Proof of Infection? Clean Reinstall (5, Informative)

eldavojohn (898314) | more than 5 years ago | (#28978755)

As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...

Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"

If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.

I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.

Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.

You can run all the programs you want (Bothunter [bothunter.net] , Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.

The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!

Re:Proof of Infection? Clean Reinstall (0)

Anonymous Coward | more than 5 years ago | (#28978925)

I think he's using the term "hosts" in a different fashion than you are thinking he is. "Hosts" as in servers rather than "hosts" as in a hosts file. I could be wrong, though.

Re:Proof of Infection? Clean Reinstall (0)

Anonymous Coward | more than 5 years ago | (#28979051)

I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop

Citation needed.

Re:Proof of Infection? Clean Reinstall (2, Funny)

Anonymous Coward | more than 5 years ago | (#28979413)

For a suspicion? Good luck with that.

Re:Proof of Infection? Clean Reinstall (5, Informative)

RetroGeek (206522) | more than 5 years ago | (#28979157)

Then I patch it as far as I can over their 56k modem.

Get Autopatcher [autopatcher.com] and update it from a CD BEFORE you connect it to anything.

Re:Proof of Infection? Clean Reinstall (1)

anonymousNR (1254032) | more than 5 years ago | (#28979311)

spend time with him to show him how to go to IE and click Tools -> Update

Not to be a troll, I was from Hyderabad too.
There is a little chance that this XP is a "genuine" one to allow updates.

Re:Proof of Infection? Clean Reinstall (1)

Capt.DrumkenBum (1173011) | more than 5 years ago | (#28979327)

Let me add to your list of cleaning tools. http://www.malwarebytes.org/ [malwarebytes.org]
And please! For the love of Linux, remove Symantec products from your list.

Format and reinstall, if is the only way to be sure.

Botnet or not... (0, Troll)

ajcoon (964283) | more than 5 years ago | (#28978781)

They're likely FUBAR. Burn your dad a Windows CD...

Simple... (0, Troll)

Anonymous Coward | more than 5 years ago | (#28978795)

If your OS is OSX, linux, or some other variant of UNIX... you're not part of a botnet.
If your OS is Windows... you're hosed.

Your Computer Is Part Of A Botnet If (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28978837)

you have Windows [microsoft.com] .

Period.

Yours In Commerce,
K. Trout

Re:Your Computer Is Part Of A Botnet If (0)

Anonymous Coward | more than 5 years ago | (#28978859)

I LOLed

Re:Your Computer Is Part Of A Botnet If (-1, Troll)

Ethanol-fueled (1125189) | more than 5 years ago | (#28978959)

Thanks for the link.

I was appalled to see this [imageshack.us] prominently shown on the page you linked to. One of the adults (can you guess which one?) probably dosen't even know how to use a computer, and the other one obviously chooses her life partners like she chooses her operating systems.

idiot lights (1, Informative)

v1 (525388) | more than 5 years ago | (#28978843)

look at the activity lights on the whatever you have for networking equipment. If the activity lights go ape after the system comes up, and stays that way, back up what's safe and reload it.

Re:idiot lights (0)

Anonymous Coward | more than 5 years ago | (#28978967)

I like that you tell him to watch the "idiot lights", completely ignoring the fact that he's doing this remotely. Who's the idiot?

Re:idiot lights (0)

Anonymous Coward | more than 5 years ago | (#28979065)

my humor detection device is on the fritz today, so please tell me.. are you joking?

Assume it is .. (5, Interesting)

Brigadier (12956) | more than 5 years ago | (#28978849)

Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.

In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.

Re:Assume it is .. (4, Interesting)

realmolo (574068) | more than 5 years ago | (#28979027)

You're doing it wrong.

You need an IDS/IPS system like a Fortigate or ASA that scans all incoming/outgoing packets for viruses/spyware/whatever, and blocks them before they get to the computer (as well as performing standard firewall duties like NAT and traffic filtering). You need Websense Express (or something similar) to block access to malicious websites (and inappropriate websites, which are often malicious anyway). You need to take away the Local Administrator rights from every user on the network, and use Group Policy to a) lock down Internet Explorer, and b) prevent them from installing any software and c)making any system changes.

This is all easy to do. Why aren't you doing it? For a small office, it wouldn't even be expensive.

Re:Assume it is .. (4, Interesting)

Brigadier (12956) | more than 5 years ago | (#28979333)

All great points, here are mine.

1.) We are an architecture office which runs AutoCAD problem is this requires Power User group membership in order to run. (also on windows even without admin privs malicious software can infect.

2.) Unfortunately any expense is an expense, (economy doesn't help.) This is why you will note all my network software is freeware.

3.) My most malicious user is the owner of the company, who insist on having admin privies ( he equates user authority to company hierarchy) So he constantly does stuff like installs go to my pc, and leaves his system up and logged in.

unfortunately I don't live in your well funded and taken seriously IT world.

Re:Assume it is .. (2, Insightful)

rsborg (111459) | more than 5 years ago | (#28979359)

This is all easy to do. Why aren't you doing it? For a small office, it wouldn't even be expensive.

Especially in a small business, your users will rebel if they can't install (or use) their software... which is quite reasonable given most people are still running Windows XP, and most XP software is not capable of being installed or sometimes even used without admin access... this is especially troublesome if that user happens to be the CEO/Owner.

You hardly ever have time/resources to "do it properly" in a small business, unless what you're "doing right" is a core competency of the business. The trick is to convince the guy who signs the checks that it is business/mission critical (often non-trivial).

Re:Assume it is .. (2, Interesting)

whoever57 (658626) | more than 5 years ago | (#28979045)

In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.

I would also block outgoing port 25 and then ask the users what smtp servers they use and whitelist those.

Getting the users to run as a non-privileged user will make clean-up much easier. Set their normal login to be a low-privilege user (and add network configuration so they can configure wireless networks), then give them their own administrator login (another user with admin rights) and show them how to login as their normal username and use "run-as". That way they can do everything they would like with a much lower risk of an infection that can't be handled.

Re:Assume it is .. (2, Funny)

Anonymous Coward | more than 5 years ago | (#28979255)

and show them how to login as their normal username and use "run-as".

Awwww, how cute! He's trying to teach a user something!

Let's watch...

Re:Assume it is .. (1)

mlts (1038732) | more than 5 years ago | (#28979437)

Actually, you can just block outgoing port 25 and leave it at that. Most E-mail providers use 587 for E-mail submission, and 465 for SSL based E-mail submission.

The difference is that 25 is intended to talk from a server to another server. 587 is for a MUA like Outlook, Thunderbird, mail.app or mutt to send mail to their "local" mail server, and that server controls authentication, then sends it to other servers via port 25. By separating this functionality, admins can block port port 25 completely except for their authorized (and hopefully hardened) E-mail server.

This isn't perfect, botnets can latch onto user Exchange settings and use the mail server under that user's name to send out spam, but most upstream mail servers have some sort of sanity checking to clamp down on a user after a threshold of mails sent out.

Re:Assume it is .. (2, Insightful)

gad_zuki! (70830) | more than 5 years ago | (#28979223)

Youre doing it wrong. Set your users to be users, not administrators. Give them permissions to exactly what they need and whatever special permission the applications they run need. Sure, it takes time at first, but once you figure it out then you're good for the rest.

Or you can take the lazy man's approach and set them as power users, which is almost like an administrator, but selectively remove modify/write permission from c:\windows, c:\program files, and other critical areas. Less secure but a bazillion more times secure than just running as admin.

Re:Assume it is .. (0)

Anonymous Coward | more than 5 years ago | (#28979299)

Youre doing it wrong. Set your users to be users, not administrators. Give them permissions to exactly what they need and whatever special permission the applications they run need. Sure, it takes time at first, but once you figure it out then you're good for the rest.

Or you can take the lazy man's approach and set them as power users, which is almost like an administrator, but selectively remove modify/write permission from c:\windows, c:\program files, and other critical areas. Less secure but a bazillion more times secure than just running as admin.

yeah.. because malware can do nothing wrong with user level-only permissions.. It doesn't really make much difference to modern malware. This Unix user level fetish is mostly applicable in multiuser system for the purpose of making it easier to wipe and reinstall _one_ infected user without taking down the whole system and other users.

Re:Assume it is .. (1)

mlts (1038732) | more than 5 years ago | (#28979335)

If the machines are being used as generic hosts without any data saved locally, I'd consider the use of a program like DeepFreeze. This way, even if a user has admin authority on a box, should it get infected, a reboot will scrape all that junk off and roll back to the original frozen configuration. Even better is if the user has no admin authority, because this prevents malware that infects the user's profile from touching LocalSystem level processes.

I have used utilities that preserve the system state in lab environments for years. And they do pay for themselves when you can just reboot a machine to wipe it of crap, as opposed to a complete manual reimaging.

Caveat: A utility like this is not intended for people's workstations they customize and have some responsibility for. Instead, its for workstations that are mainly used as glorified terminals with no permanent persistant storage, or in environments where ensuring compliance is far more important than allowing users to keep persistant data on their local boxes.

P2P... (0)

Anonymous Coward | more than 5 years ago | (#28978865)

...or your dad is downloading stuff from a p2p network....

Check network connections (1)

Krneki (1192201) | more than 5 years ago | (#28978875)

Close all programs

c:\>netstat -b

See what is going on with NETSTAT (4, Informative)

(H)elix1 (231155) | more than 5 years ago | (#28978877)

Fire up a command prompt and type

netstat -a | find "LISTENING"

to find out what ports your system is listening to. Running the netstat command will give you all the traffic. Should give you a good idea as to what is happening. (Helps to close all of your 'normal' apps)

Doesn't work (1, Funny)

Anonymous Coward | more than 5 years ago | (#28979025)

Doesn't work in XP.

C> netstat -a | find "LISTENING" [ENTER]

Response: NETSTAT is not not recognized as an internal or external command,operable program or batch file.

Re:Doesn't work (1)

Nefarious Wheel (628136) | more than 5 years ago | (#28979235)

Doesn't work in XP.

C> netstat -a | find "LISTENING" [ENTER]

Response: NETSTAT is not not recognized as an internal or external command,operable program or batch file.

Curious - which version of XP? Just ran that on my work laptop and it works fine. I'm running XP Pro 2002 SP2.

XP Version (0)

Anonymous Coward | more than 5 years ago | (#28979319)

XP Home sp3

Guess it's Borked

Re:Doesn't work (2, Insightful)

Arthur Grumbine (1086397) | more than 5 years ago | (#28979391)

Doesn't work in my already-compromised computer running XP.

FTFY

Re:See what is going on with NETSTAT (-1, Troll)

melikamp (631205) | more than 5 years ago | (#28979251)

Who is modding this insightful? The parent has find and grep confused, as far as I can tell.

Re:See what is going on with NETSTAT (2, Informative)

Blakey Rat (99501) | more than 5 years ago | (#28979353)

Considering GREP doesn't even exist in CMD and FIND does, I think the grandparent has it right and you're the one who is confused.

The command works fine, in Vista at least. Probably requires Admin privileges for full results.

Re:See what is going on with NETSTAT (5, Funny)

mkramer (25004) | more than 5 years ago | (#28979357)

This is windows. find == grep. Well, find < grep.

Re:See what is going on with NETSTAT (0)

Anonymous Coward | more than 5 years ago | (#28979409)

Ah, the UNIX "command prompt", and the Windows "grep" command...

If you suspect the router itself (5, Informative)

Ilgaz (86384) | more than 5 years ago | (#28978903)

If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)

A simple,fast port scanner exists at http://www.grc.com/ [grc.com] (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.

For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html [nmap.org] , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.

Re:If you suspect the router itself (1)

bjelkeman (107902) | more than 5 years ago | (#28979277)

Care to describe those "different issues"? Curious minds want to know.

Lojack for Laptops (1)

tag (22464) | more than 5 years ago | (#28978917)

It's just Computrace. [slashdot.org] . Don't worry -- it will come back on its own.

No (4, Funny)

WindBourne (631190) | more than 5 years ago | (#28978919)

What it really means is that your dad is a part of an international crime ring and he really is a cracker, without your knowledge. He just felt that you did not have a clue so allowed you to play with his computer.

Check out what's running when the OS boots (1)

gr8dude (832945) | more than 5 years ago | (#28978961)

Boot into safe mode, then use a tool such as Autoruns by Sysinternals to see what's starting when Windows loads.

On an infected system you will see a number of drivers and shell extensions that are not a part of a standard Windows installation. Some of them may be things that were installed by the user, but most of them are malicious software.

Of course, getting rid of that stuff is an entirely different question.

A Subject (0)

Anonymous Coward | more than 5 years ago | (#28978979)

Well you can join BOINC to donate your left over cpu cycles.
You can join a botnet to donate your left over bandwidth.

It's only nice.

R U a Redneck? Chances are you're in a botnet !! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28979029)

R U a Redneck? Chances are you're in a botnet !!

How you can tell? (1, Flamebait)

gmuslera (3436) | more than 5 years ago | (#28979049)

On boot it say "Welcome to Microsoft Windows"

Re:How you can tell? (0)

Anonymous Coward | more than 5 years ago | (#28979275)

I recall running a search fo viruses and other malware and guess what it came up with - potential security threat: Windows XP - itself. Although I had to agree I was unable to remove it :)

simple (1)

ILuvRamen (1026668) | more than 5 years ago | (#28979059)

It's either going to be a running process with startup entries and visible exe or DLL or whatever files, and then it's simple to find, or it's going to be hiding itself somehow. In the second case, use Rootkit Revealer. It's free and basically 100% heuristic with no definitions file at all. It just looks for inconsistencies between the registry and file system or something like that. I don't think any rootkits can hide from that.

Try using rubotted or dronebl (2, Informative)

Anonymous Coward | more than 5 years ago | (#28979153)

The rubotted tool does a pretty decent job of detecting most botted computers. Have your dad download it here:

http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted [trendsecure.com]

You could also look for his system on the dronebl:

http://dronebl.org/ [dronebl.org]

Good luck!

You can tell if.. (3, Funny)

papasui (567265) | more than 5 years ago | (#28979195)

It makes remarks about wanting to try other operating software. It's unusually concerned about antivirus protection. Plug and Play only works with force-feedback devices. It makes unusually long "hand-shakes" with the email server. It accuses you of installing spyware. It asks you to run your network scans in promiscuous mode. It tells you that it's mainframe never liked you.

Snort ? (1)

lbalbalba (526209) | more than 5 years ago | (#28979231)

A free lightweight network intrusion detection system for UNIX and Windows (http://www.snort.org/) should be able to detect any anomalous behavior.

Dont sweat it.... (1)

Phizzle (1109923) | more than 5 years ago | (#28979245)

Your Dad was just torrenting porn.

Reimage is the least waste of time. (0)

Anonymous Coward | more than 5 years ago | (#28979287)

In the time it took to scan the PC, check logs, and post this question, you could have restored your PC image and been off and running clean again.

You do make an image of your Windows PC, right? You wipe and reload the image regularly, right?

If you are going to use Windows, treat it like a needle or syringe. They make them cheap and disposable for a reason. Do not reuse. You can reimage in 30 minutes. Do this once a month or more often as needed.

Your monthly Windows Update after the reimage will probably take longer than the reimage.

Build a new image every 6 months or so, and after each service pack, obviously.

Re:Reimage is the least waste of time. (1)

$RANDOMLUSER (804576) | more than 5 years ago | (#28979397)

It is absolutely breathtaking to me that people think the above behavior is somehow "normal".

Skype? (1)

Peter Simpson (112887) | more than 5 years ago | (#28979313)

I have seen this happening with a computer running Skype.. Is your dad running Skype? Tell him to kill the Skype process in the system tray & see if the problem goes away.

Dear Slashdot (1, Funny)

$RANDOMLUSER (804576) | more than 5 years ago | (#28979321)

While my father was cleaning his gun, he loaded it and emptied the clip into his foot. He then reloaded and pumped another four slugs into the same foot. So I was wondering, does any one know where I can get a good deal on Band-Aids? Thanks.

Microsoft (0)

Anonymous Coward | more than 5 years ago | (#28979343)

Aren't all Windows machines part of botnet by default? Microsoft?

Default Settings (1, Insightful)

krygny (473134) | more than 5 years ago | (#28979365)

For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time.

He probably just stuck a pencil in the reset button. Maybe because he was having connection problems for some other reason and that "fixed" it and he was happy. Ignorance is bliss ... for a while.

wire shark (1)

systematical (1394991) | more than 5 years ago | (#28979385)

Would wireshark work to capture traffic going to the botnet? Isn't it IRC traffic so you could just sort by that traffic type?

Local Support (0)

Anonymous Coward | more than 5 years ago | (#28979407)

He is in the hub of all Computer tech support nowadays - why are you asking the rest of the world - get someone local to fix it.

Some Answers to the questions asked here... (5, Interesting)

ashraya (632661) | more than 5 years ago | (#28979419)

A good many replies here - so I will answer a few questions that have been asked.

1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.

Regards,
Ashraya

I do this for a living... (1)

C_Jax (1331301) | more than 5 years ago | (#28979479)

Running wire shark on the computer that might be infected is useless. Really nasty malware has the ability to hide it's traffic even from packet sniffers on the local host. I find the best bang for the buck is using a passive network tap and plug a sniffer into that. Now.. no need to go out and buy one as that will be expensive.. you can build one($18). http://www.instructables.com/id/Make_a_Passive_Network_Tap/ [instructables.com] If you want to one-up this then get pc and install a network-based Intrusion Detection System(IDS), google snort, it'll look for abnormal network traffic patterns, and you can even configure them to notify you if it does detect something. Also.. take that linksys router and install DD-WRT on it and configure the firewall to block everything except what you know to be okay. Note: you can disable the reset button in DD-WRT =)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?