How Can I Tell If My Computer Is Part of a Botnet? 491
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Re:Well the only fool proof way... (Score:1, Insightful)
No need for a hub, use ARP spoofing instead.
Re:Well the only fool proof way... (Score:1, Insightful)
Actually you can do it with just one physical interface, isn't too hard.
Re:Assume it is .. (Score:3, Insightful)
Youre doing it wrong. Set your users to be users, not administrators. Give them permissions to exactly what they need and whatever special permission the applications they run need. Sure, it takes time at first, but once you figure it out then you're good for the rest.
Or you can take the lazy man's approach and set them as power users, which is almost like an administrator, but selectively remove modify/write permission from c:\windows, c:\program files, and other critical areas. Less secure but a bazillion more times secure than just running as admin.
Re:Assume it is .. (Score:3, Insightful)
Especially in a small business, your users will rebel if they can't install (or use) their software... which is quite reasonable given most people are still running Windows XP, and most XP software is not capable of being installed or sometimes even used without admin access... this is especially troublesome if that user happens to be the CEO/Owner.
You hardly ever have time/resources to "do it properly" in a small business, unless what you're "doing right" is a core competency of the business. The trick is to convince the guy who signs the checks that it is business/mission critical (often non-trivial).
Default Settings (Score:2, Insightful)
For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time.
He probably just stuck a pencil in the reset button. Maybe because he was having connection problems for some other reason and that "fixed" it and he was happy. Ignorance is bliss ... for a while.
Re:Doesn't work (Score:2, Insightful)
Doesn't work in my already-compromised computer running XP.
FTFY
Re:Assume it is .. (Score:5, Insightful)
Re:See what is going on with NETSTAT (Score:5, Insightful)
You have Windows and Linux confused, as far as I can tell.
Re:Well the only fool proof way... (Score:4, Insightful)
Ethernet using cat5 cabling was specifically designed such that the cheapest hubs would just be RJ45 jacks wired together passively. So one could make a "hub cable" in theory.
Interestingly another instructable linked to the one he showed, was about how to use 1 cat5 cable to every jack in the house to support both phone and Ethernet data.
This person was apparently unaware of the fact that a phone cords 6P4C or 6P2C cable will happily fit into the wider 8P jack. (That is to say that phone cable will plug into Ethernet jacks by design).
Further the Ethernet wiring standard deliberately has pins 3-6 (which correspond to pins 2-5 in a phone style jack, which are the 4 that are normally connected in a phone jack) connected identically to standard phone cord. Further Pins 4 and 5 are deliberately unused in 100Mbs Ethernet, which is the one pair necessary for a single phone line.
Thus if you have a house wired for Ethernet but not phone, adding support for phones to all the jacks is as simple as using Ethernet switches that connect pin 4 of all jacks together and pin 5 of all jacks together, and then plug a pone line into one of the jacks in the switch. (I would actually be surprised if there were not Ethernet switches specially designed for that).
Re:Assume it is .. (Score:4, Insightful)
You hardly ever have time/resources to "do it properly" in a small business, unless what you're "doing right" is a core competency of the business. The trick is to convince the guy who signs the checks that it is business/mission critical (often non-trivial).
Sure you do! It's called OSX. Now, before you flame me into submission, understand that I'm writing this on my Fedora Core Linux laptop. I'm a command-line junkie extraordinaire, and don't feel comfortable until I have an xterm or three up on one or two virtual desktops while running dual-head.
But there's a very real, very useful, and very definite benefit to running on OSX - there really is not just nearly as much of a problem with viruses, worms, trojans, and other crapware. Really really for real and yes, it's for real.
Really.
You can argue about marketshare or Unix core or whatever, but it's true - Macs *are* more reliable and *do* have much less of a problem with viruses and such. Who cares why? And if you really must run something windows like, you can get Parallels/VMWare or boot camp. (I recommend the former unless you are a gamer) Even better, if you go the VM route, you can easily save your Windows VM image to an external disk every week or so, and if/when it gets infected, just recover from a backup and be up and running again in minutes instead of days!
I didn't appreciate OSX until I had to port our software over to it. It was painful at first, but in the process, I fell hard-core in love with OSX. Except for the dated Unix command line, it's everything that Fedora Core ever dreamed of.
On the other hand, (Score:3, Insightful)
If the bogus netstat (and other utilities) are already part of the rootkit the skript ciddey downloaded, it doesn't cost the skript ciddey any more effort, and is even less likely to be noticed than strange output in netstat.
Re:Well the only fool proof way... (Score:1, Insightful)
A horse is a horse, even if someone is paid to tell you so.
Re:Well the only fool proof way... (Score:5, Insightful)
Re:Force a failover (Score:2, Insightful)
It's true devices can do those things, and yeah, you would certainly need to test before trying flooding as a solution. (1) and (3) are really the only proper choices.
(2) is definitely a defect in the device, that the manufacturer should fix. I equate it to a hard drive running out of disk space, and deciding to shut itself off, instead of reporting an error when you try to write past the end of the disk.
But I suppose he did say it was a cheap switch, and sometimes, you really do get what you pay for.
Re:Well the only fool proof way... (Score:1, Insightful)
You see what you want to.
Re:Assume it is .. (Score:3, Insightful)
I hate to break the Slashdot rules-of-posting, but I've got some sympathy for Microsoft here. A lot of the things Vista tried to do was to sweep away some of the old crud and make developers code more securely- that was what the whole Blah wants to do something- confirm or deny bit was about.
Everyone's reaction? Waaaaahhhh, my computer is far more annoying. Where are my XP disks?
MS are damned if they do sweep away old insecure crud (because old stuff stops working) and damned if the don't sweep old crud away (because their OS has a load of crud in it). Their main competitor (Apple) doesn't have this problem- when people move to a Mac they expect all of their old stuff to stop working- indeed none of their old applications work!
Re:Some Answers to the questions asked here... (Score:3, Insightful)
Your implication seems to be that someone wandered by your fathers house, saw an open wireless network and decided to insert packets to own his machine.
WTF?!
This seems like a pretty unlikely method of building a botnet compared to spam, website security holes, application fail (office, adobe, gif).
It also seems to support the whole "sharing is bad" mentality that the RIAA and ISPs (and their net neutrality BS) are shoving down our throats. Though that might just be paranoia or my own politics interfering in what is really a technical matter.
Re:Assume it is .. (Score:3, Insightful)
You can argue about marketshare or Unix core or whatever, but it's true - Macs *are* more reliable and *do* have much less of a problem with viruses and such. Who cares why?
You will care about why when the market share numbers change. If MACS were 90% of the market, they'd be the ones with the botnets running on them, and the Windows machines would look just like Macs do to you. And it doesn't need to get to 90% for it to be that way. As the Mac marketshare continues to climb - and it will - you'll find that botmakers will target the Mac platform. They'll find holes. And they'll start to get infected. It is a function not of the OS, but a function of WHO is running them. Historically, the uneducated, uncaring masses were the home user running Windows. The botnets are written for THEM. When the uneducated, uncaring masses are running Macs, the botnets will be written for them too. Sure, you can buy some time by going the Mac route today. You'll be helping make Macs get on the bad guys radar screen, and will hasten the botnet coming soon to a computer near you!
Re:Well the only fool proof way... (Score:3, Insightful)
You should even disconnect than machine from the network when not in use.
Or add a read-only end to your patch cable - http://www.ironcomet.com/sniffer.html [ironcomet.com]
I keep one in my black bag. Allows me to supervise any network without anyone knowing I'm even there, because it is impossible (electrically) for my NIC to respond...
With such wiring, you're effectively immune to Virii and the like, unless they're some sort of magical single-packet thing...
Re:Solaris does this automatically (Score:3, Insightful)
While he's under 18 and I'm legally responsible for the tings he downloads and does, yes I will spy on him.
Re:OS Check! (Score:3, Insightful)
Computer viruses and trojans are social illnesses. Risk of social illness infection is greatly mitigated through behavior.