How Can I Tell If My Computer Is Part of a Botnet? 491
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Well the only fool proof way... (Score:5, Informative)
Well the only fool proof way that I can envision is the following
1) Plug you father computer into a HUB ( not a switch, unless it has a special port for this usage)
2) Plug the router into this HUB
3) Plug a Linux machine into the HUB and use tcpdump to examine traffic.
This is what security experts do.
Proof of Infection? Clean Reinstall (Score:5, Informative)
As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...
Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"
If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.
I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.
Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.
You can run all the programs you want (Bothunter [bothunter.net], Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.
The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!
Re:Well the only fool proof way... (Score:5, Informative)
Re:Well the only fool proof way... (Score:1, Informative)
Or just use netstat
idiot lights (Score:2, Informative)
look at the activity lights on the whatever you have for networking equipment. If the activity lights go ape after the system comes up, and stays that way, back up what's safe and reload it.
Re:Well the only fool proof way... (Score:5, Informative)
netstat could be modified not to report the botnet connections if you are owned, hence the fool proof solution.
See what is going on with NETSTAT (Score:5, Informative)
Fire up a command prompt and type
netstat -a | find "LISTENING"
to find out what ports your system is listening to. Running the netstat command will give you all the traffic. Should give you a good idea as to what is happening. (Helps to close all of your 'normal' apps)
If you suspect the router itself (Score:5, Informative)
If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)
A simple,fast port scanner exists at http://www.grc.com/ [grc.com] (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.
For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html [nmap.org] , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.
Re:Well the only fool proof way... (Score:5, Informative)
The hard part nowadays (although maybe not a problem in India) is actually finding a HUB. It is very difficult to actually buy a hub anymore, and most "hubs" sold in the US anyway are actually low-end unmanaged switches, so you can't sniff traffic on them.
In answer to the question though (I'm sure redundant at this point) is: YES- they are probably part of at least one bot-net, and are probably infected with all sorts of other nastiness. The best thing to do is re-secure the wireless router, and the all-too-often-recommended reformat and re-install of Windows. I wouldn't even try to salvage the current installs at this point.
Re:Well the only fool proof way... (Score:5, Informative)
Or they use a "real" switch that has port mirroring, or a passive ethernet tap [sun.com].
Re:Well the only fool proof way... (Score:1, Informative)
Re:Well the only fool proof way... (Score:5, Informative)
You don't need a HUB at all. Linux bridging allows you to use two ports on a system 'as a HUB', while still providing you with the ability to tcpdump a port on the bridge. You just add both interfaces to your bridge and stick the linux bridge in between the real router and the infected machine. Only thing needed is a linux system with 2 physical ethernet ports.
Try using rubotted or dronebl (Score:2, Informative)
The rubotted tool does a pretty decent job of detecting most botted computers. Have your dad download it here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted [trendsecure.com]
You could also look for his system on the dronebl:
http://dronebl.org/ [dronebl.org]
Good luck!
Re:Proof of Infection? Clean Reinstall (Score:5, Informative)
Get Autopatcher [autopatcher.com] and update it from a CD BEFORE you connect it to anything.
Re:See what is going on with NETSTAT (Score:3, Informative)
Considering GREP doesn't even exist in CMD and FIND does, I think the grandparent has it right and you're the one who is confused.
The command works fine, in Vista at least. Probably requires Admin privileges for full results.
Re:Well the only fool proof way... (Score:2, Informative)
Re:Well the only fool proof way... (Score:5, Informative)
It is nevertheless better to reserve a machine on your network for just this usage. Nothing installed on it but tcpdump and similar tools.
Or boot from a Linux Live CD.
Also, some switches support spanning ports, which will allow you to sniff the traffic on another port. Your typical home network dumb switch probably doesn't support this, but if you have temporary access to a higher end switch, it makes such tasks much easier. You can pick up older switches that support this fairly cheap on Ebay, although you probably won't want to spend the money for a one-time usage.
Three things to look for. (Score:5, Informative)
If you are seeing netbios over tcp (port 445) traffic and he is not uploading/downloading files via the "My Network Places" interface he is most likely infected with a trojan.
If your seeing random high port to random high port traffic (ports 1024 - 65535 connecting to another ports 1024-65535) and he isn't doing P2P then he most likely is infected and the infection is trying to set up the machine as part of a bot net and trying to infect others.
If you are seeing UDP traffic on a consistent port on his machine to random high ports (1024-65535) on the outside, his machine is an active server in a bot net.
Re:Solaris does this automatically (Score:3, Informative)
It's true, by default Solaris has IP forwarding enabled between all interfaces.
You can turn it off, by using: ndd -set /dev/ip ip_forwarding 0
On most Linux systems, it's off by default, but you can enable it by doing echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
Or temporarily by doing sysctl -w net.ipv4.ip_forwarding=1
This is not really an advantage of Solaris that it's enabled by default, but a security risk.
My suggestion would be to instead use a cheap old x86 PC and install a firewall distro with integrated reporting and blocking functions such as Untangle on it.
Or I suppose you could spend a few weeks tinkering with the Solaris box. But its traffic filtering capabilities are fairly limited/sparse at best, if you do use Solaris for such a thing you may be better off blocking port 80+443 and using a tailored Squid proxy, than relying on Solaris' default IP forwarding to help you.
Squid gives you the flexibility to log URLs, and also, to block URLs, with addons like Squidguard.
Re:Try using rubotted or dronebl (Score:3, Informative)
Re:Proof of Infection? Clean Reinstall (Score:2, Informative)
If you are going to fart around that much, you might as well build a new install CD with SP3 slipstreamed in and the most recent hotfixes set to run on install:
http://www.nliteos.com/guide/part1.html [nliteos.com]
I have built such a CD from the I386 folder on my harddrive (my laptop came with a recovery partition, not a CD) and successfully installed it into a virtual machine.
Re:Securing Linux Box? (Score:3, Informative)
-i heard its good to remove SUID from any binaries that have it set. check google for this, its some long command that involves xargs.
-check your /var/log/auth.log from time to time and make sure there arent a bunch of failed login attempts.
-if you see a lot of activity in auth.log and other logfiles pointing to repeated attempts at breaking into your system, identify the method theyre trying to get in through (usually ssh or ftp) and change the port. i usually use 2222 for ssh and 2121 for ftp, that stopped all the connection attempts i was getting and theyre easy to remember.
yeah, these are kind of basic and are not helpful in learning in-depth, but im kind of in the same boat. iv been using debian since 2001 and these (plus the basics of course) are all iv needed to secure my systems from attempted intrusions (at least, the ones i KNOW about).
Re:Assume it is .. (Score:5, Informative)
All great points, here are mine.
1.) We are an architecture office which runs AutoCAD problem is this requires Power User group membership in order to run. (also on windows even without admin privs malicious software can infect.
No, AutoCAD doesn't require Power User membership. What it requires is someone to spend a few minutes to adjust the system to allow it (and pretty much anything else) to run with User perms only. Do a Google search for Filemon and Regmon formerly from SysInternals and now Microsoft free software. Run them (using RunAs since these DO require admin rights) while your users have normal perms. Set them to only show you what ACAD.EXE does. When it craps out (and it will), search the logs for Access Denied. Manually add perms for Users Full Control to the folders and registry keys that it requires. This will take several passes as the program will run better and better each time. Write down what you have to permit, so next time you install on a new machine you'll know what you need.
Almost none of my hundreds of supported desktops allow users to have admin rights. The ones I'm not PERMITTED to spend the labour tend to get owned periodically. The non-admin systems don't. Really. Since Win2k's release I have yet to have even one system actually get infected. Light damage, yes. Infected, no.
What... you think admins running Citrix or Terminal Servers just throw their hands up in the air and accept some lazy-ass vendor's word that their software NEEDS admin rights?
Re:OS Check! (Score:3, Informative)
The Shark (Score:4, Informative)
Download and install Wireshark from http://www.wireshark.org/ [wireshark.org]
Fire it up and watch everything on the NIC
Re:Some Answers to the questions asked here... (Score:1, Informative)
>5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute >to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - >We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
I faced a similar situation. I traced it to Norton products not uninstalling properly (the culprit here was Norton Internet Security) which screwed up the internet connectivity.
I ran the all-in-one Norton Removal Tool (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039) and it got fixed.
Re:Well the only fool proof way... (Score:2, Informative)
Re:Some Answers to the questions asked here... (Score:2, Informative)
Re:Well the only fool proof way... (Score:3, Informative)
Insightful? Really?
Ethernet using cat5 cabling was specifically designed such that the cheapest hubs would just be RJ45 jacks wired together passively. So one could make a "hub cable" in theory.
Citation please. Cat5 maybe all on it's own hijacked for phone purposes, maybe. I've been installing ethernet and phones for 20 years, and from what I know of Ethernet over twisted pair, there is no electrical provision for this anywhere.
Interestingly another instructable linked to the one he showed, was about how to use 1 cat5 cable to every jack in the house to support both phone and Ethernet data.
This person was apparently unaware of the fact that a phone cords 6P4C or 6P2C cable will happily fit into the wider 8P jack. (That is to say that phone cable will plug into Ethernet jacks by design).
Again, citation please. Every Ethernet jack I've ever used gets the 1-8 pins bent or broken when some fool does this. You can put a one inch round peg in a one inch square hole, but to say that they mate correctly is a bit misleading.
Further the Ethernet wiring standard deliberately has pins 3-6 (which correspond to pins 2-5 in a phone style jack, which are the 4 that are normally connected in a phone jack) connected identically to standard phone cord. Further Pins 4 and 5 are deliberately unused in 100Mbs Ethernet, which is the one pair necessary for a single phone line.
Thus if you have a house wired for Ethernet but not phone, adding support for phones to all the jacks is as simple as using Ethernet switches that connect pin 4 of all jacks together and pin 5 of all jacks together, and then plug a pone line into one of the jacks in the switch. (I would actually be surprised if there were not Ethernet switches specially designed for that).
One more time! Citation please. I don't recall T568A or T568B mentioning anything about cohabitation of analog phone and data in any one cable sheath. I'd hazard a guess that the reason you don't know about any Ethernet switches off the top of your head that merge analog phone and data is because there probably aren't any. Find just one, please, even just one made 20 years ago. Another SWAG about why you won't find any: 100V ring voltage would probably smoke most of the components intended for voltages lower than 5V. Just because you can do something doesn't mean that it was intended by the design engineers that created a product.
Re:Well the only fool proof way... (Score:3, Informative)
Um, the link is instructions. Not sales.