How Can I Tell If My Computer Is Part of a Botnet? 491
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Well the only fool proof way... (Score:5, Informative)
Well the only fool proof way that I can envision is the following
1) Plug you father computer into a HUB ( not a switch, unless it has a special port for this usage)
2) Plug the router into this HUB
3) Plug a Linux machine into the HUB and use tcpdump to examine traffic.
This is what security experts do.
Re:Well the only fool proof way... (Score:5, Informative)
Re:Well the only fool proof way... (Score:5, Interesting)
Agreed, I do it from my Linux router which I assume is not owned.
It is nevertheless better to reserve a machine on your network for just this usage. Nothing installed on it but tcpdump and similar tools. You should even disconnect than machine from the network when not in use. Again, that's what security expert firms do.
The important point is to be confident than what you are looking at is not coming from something that is already owned. Many root kits modify netstat, tcpdump and the like... ;-)
Re:Well the only fool proof way... (Score:5, Informative)
It is nevertheless better to reserve a machine on your network for just this usage. Nothing installed on it but tcpdump and similar tools.
Or boot from a Linux Live CD.
Also, some switches support spanning ports, which will allow you to sniff the traffic on another port. Your typical home network dumb switch probably doesn't support this, but if you have temporary access to a higher end switch, it makes such tasks much easier. You can pick up older switches that support this fairly cheap on Ebay, although you probably won't want to spend the money for a one-time usage.
Re:Well the only fool proof way... (Score:4, Funny)
Because, I mean, he only gets paid when he's SUBTLE.
Re: (Score:3, Funny)
A horse is a horse,
Of course! Of course!
Re: (Score:3, Interesting)
Yah, 'cause there's no way I could just be recommending it as a favour to the guy who asked the question. Way to catch me out dude.
+1 no-flies-on-you
Considering that others have already pointed out that it's a "firewall" you run as software on the computer you're trying to protect (tl;dr version: snake oil), no, we're all quite certain you weren't doing him any favors.
Re:Well the only fool proof way... (Score:4, Interesting)
Indeed. I don't know why security companies don't aggressively push this kind of product for home use- sounds like a win-win for them: sell the consumer an expensive physical box /and/ charge them for monthly firmware updates. Special bonus: An external box would actually /work/ (and with the aid of a USB connection, it could boot into its own environment to do scans) Just for fun, you could throw in a "real" firewall.
So then you'd provide: /works/, rather than one which is guaranteed not to
- Network monitoring for statistical "suspicious packet" analysis
- Completely detached scanning which doesn't just nicely ask an infected system whether it's infected or not
- Hardware firewall
- A solution which potentially
Yet everything I've ever seen pushed to home users has been a software-only package, or just a firewall. When will I be able to tell my mom to "go buy a Norton ActuallyWorX box and plug it between your computer and router"?
Re: (Score:3, Insightful)
You should even disconnect than machine from the network when not in use.
Or add a read-only end to your patch cable - http://www.ironcomet.com/sniffer.html [ironcomet.com]
I keep one in my black bag. Allows me to supervise any network without anyone knowing I'm even there, because it is impossible (electrically) for my NIC to respond...
With such wiring, you're effectively immune to Virii and the like, unless they're some sort of magical single-packet thing...
Re: (Score:3, Informative)
Um, the link is instructions. Not sales.
Solaris does this automatically (Score:5, Interesting)
Re: (Score:3, Informative)
It's true, by default Solaris has IP forwarding enabled between all interfaces.
You can turn it off, by using: ndd -set /dev/ip ip_forwarding 0
On most Linux systems, it's off by default, but you can enable it by doing echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
Or temporarily by doing sysctl -w net.ipv4.ip_forwarding=1
This is not really an advantage of Solaris that it's enabled by default, but a security risk.
My suggestion would be to instead use a cheap old x86 PC and instal
Re: (Score:3, Insightful)
While he's under 18 and I'm legally responsible for the tings he downloads and does, yes I will spy on him.
Re:Well the only fool proof way... (Score:5, Informative)
The hard part nowadays (although maybe not a problem in India) is actually finding a HUB. It is very difficult to actually buy a hub anymore, and most "hubs" sold in the US anyway are actually low-end unmanaged switches, so you can't sniff traffic on them.
In answer to the question though (I'm sure redundant at this point) is: YES- they are probably part of at least one bot-net, and are probably infected with all sorts of other nastiness. The best thing to do is re-secure the wireless router, and the all-too-often-recommended reformat and re-install of Windows. I wouldn't even try to salvage the current installs at this point.
Re:Well the only fool proof way... (Score:5, Informative)
You don't need a HUB at all. Linux bridging allows you to use two ports on a system 'as a HUB', while still providing you with the ability to tcpdump a port on the bridge. You just add both interfaces to your bridge and stick the linux bridge in between the real router and the infected machine. Only thing needed is a linux system with 2 physical ethernet ports.
Re: (Score:2)
Yeah, this works too, not as effective in order to snoop-in without being detected, hmmm. I mean without disrupting normal business operation but it would work for his computer father.
Dedicated port on switches are more standard for security audits. You just plug a laptop with one network interface on it et voila.
Also, routing traffic through your Linux changes something to the network topology so you are actually interfering with the network compared to stealthily listening.
Re: (Score:2)
if you're paranoid, sure. Don't use this method to 'snoop' data where you are not allowed.
For a sysadmin, this is a great way to isolate a machine without touching it. I doubt a botnet is smart enough to detect MAC address changes...
Re: (Score:2)
it would work for his computer father.
What?? His father is a computer? Then I bet the father is part of the botnet too! Oh noes!
Re: (Score:2, Informative)
Re: (Score:2)
but then you are not bridging, but routing, which is significantly different.
Re:Well the only fool proof way... (Score:5, Insightful)
Re: (Score:2)
Then you are stuck with buying a slightly more expensive switch with a special broadcast (HUB like) port designed for just this usage. Many have those. Most corporate switches have them in order to enable security audits or other network surveillance tools.
Re: (Score:2)
Most switch used in a business should support arbitrary port mirroring. That is you can duplicate the input out put or both of any port to any of the the other ports. Good equipment will even support remote mirroring and will be able to encapsulate the traffic on one port and send it all to some other location of your selection.
Re: (Score:2, Interesting)
Re: (Score:2)
There are other ways (as mentioned, computers set up as man in the middle) or managed switches. However, somewhere in storage is my old hub, just in case. Don't forget that many routers are actually also managed switches, your router may have the ability to do this as well. Or look for a cheap one that can act like this, consumer targeted routers are cheaper than most managed switches (and likely much slower, but for this kind of thing they should be fine).
Re:Force a failover (Score:5, Interesting)
Please don't make unverified claims. I have seen this happen first-hand on several residential switches (5/8 port Linksys/Acer/whatever). It's how they can get away with crapping 8 ports on an underpowered processor with piddly amounts of memory.
There's basically 3 ways a switch can deal with ARP overload:
1. Ditch the least recently seen address (annoying and laggy but relatively clean)
2. Slow down, panic, and stop forwarding packets altogether (hello Linksys)
3. Ignore ARP entirely and revert to being a dumb hub, at least temporarily until everyone shuts up
You'd be surprised how many A+ asshats have daisy-chained those cheap switches to save a buck. I remember one guy who had a cage full of shitty old gear going into a bunch of $40 Aopen switches, because he figured it was cheaper to cram a few U's with those tiny 8-port toys than to drop real money on a bunch of FSM750s. His latency was pretty bad for 100mbit, but his brain was even slower so he cared not. Then one day he added one device too many and a true packet storm ensued, which caused his entire network to seize within minutes. One switch barfed, then another, and another... he had four or five of them per rack, times maybe ten racks. I tried to explain how retarded he was for trying to save maybe $1000 per rack, when each rack had at least 50k worth of gear, but they say ignorance is bliss.
Re:Well the only fool proof way... (Score:4, Insightful)
Ethernet using cat5 cabling was specifically designed such that the cheapest hubs would just be RJ45 jacks wired together passively. So one could make a "hub cable" in theory.
Interestingly another instructable linked to the one he showed, was about how to use 1 cat5 cable to every jack in the house to support both phone and Ethernet data.
This person was apparently unaware of the fact that a phone cords 6P4C or 6P2C cable will happily fit into the wider 8P jack. (That is to say that phone cable will plug into Ethernet jacks by design).
Further the Ethernet wiring standard deliberately has pins 3-6 (which correspond to pins 2-5 in a phone style jack, which are the 4 that are normally connected in a phone jack) connected identically to standard phone cord. Further Pins 4 and 5 are deliberately unused in 100Mbs Ethernet, which is the one pair necessary for a single phone line.
Thus if you have a house wired for Ethernet but not phone, adding support for phones to all the jacks is as simple as using Ethernet switches that connect pin 4 of all jacks together and pin 5 of all jacks together, and then plug a pone line into one of the jacks in the switch. (I would actually be surprised if there were not Ethernet switches specially designed for that).
Re:Well the only fool proof way... (Score:5, Interesting)
Yes it does seem possible and you might even get away with it in real life, but the idea of running a 48VDC pair that also uses a 100VAC ring signal right beside your ethernet pairs is scary. Also every time the telephone rings it would induce a hellacious amount of electrical noise into the data pairs; it would probably shut down any data packets on the network and possibly blow out your ethernet cards. If another technician was faninng the wires and happened puncture his skin with them the jolt from the 48VDC would probably make you number ten thousand dirty rotten SOB, a 100VAC ring signal would definitely make you number ten thousand dirty rotten SOB. Telephone and ethernet really don't play well together.
Re: (Score:3, Interesting)
not really...
POE uses the two spare pairs to provide 48VDC
POE+ uses the spare pairs and induces a DC offset onto the differential signal pairs ala "phantom power".
in either case the specified current is much higher than a phone line can provide.
doubtful the AC ring would have any effect, the frequency is far too low and current is extremely limited and the differential nature of ethernet's signaling would cancel out noise of this type anyway.
however, the analog phone line most likely would pick up some rath
Re: (Score:3, Informative)
Insightful? Really?
Ethernet using cat5 cabling was specifically designed such that the cheapest hubs would just be RJ45 jacks wired together passively. So one could make a "hub cable" in theory.
Citation please. Cat5 maybe all on it's own hijacked for phone purposes, maybe. I've been installing ethernet and phones for 20 years, and from what I know of Ethernet over twisted pair, there is no electrical provision for this anywhere.
Interestingly another instructable linked to the one he showed, was about how to use 1 cat5 cable to every jack in the house to support both phone and Ethernet data.
This person was apparently unaware of the fact that a phone cords 6P4C or 6P2C cable will happily fit into the wider 8P jack. (That is to say that phone cable will plug into Ethernet jacks by design).
Again, citation please. Every Ethernet jack I've ever used gets the 1-8 pins bent or broken when some fool does this. You can put a one inch round peg in a one inch square hole, but to say that they mate correctly is a bit misleading.
Further the Ethernet wiring standard deliberately has pins 3-6 (which correspond to pins 2-5 in a phone style jack, which are the 4 that are normally connected in a phone jack) connected identically to standard phone cord. Further Pins 4 and 5 are deliberately unused in 100Mbs Ethernet, which is the one pair necessary for a single phone line.
Thus if you have a house wired for Ethernet but not phone, adding support for phones to all the jacks is as simple as using Ethernet switches that connect pin 4 of all jacks together and pin 5 of all jacks together, and then plug a pone line into one of the jacks in the switch. (I would actually be surprised if there were not Ethernet switches specially designed for that).
One more time!
Re:Well the only fool proof way... (Score:5, Informative)
Or they use a "real" switch that has port mirroring, or a passive ethernet tap [sun.com].
Re: (Score:2)
>> 1) Plug you father computer into a HUB
>> ( not a switch, UNLESS it has a SPECIAL PORT for this usage)
> Or they use a "real" switch that has port mirroring, or a passive ethernet tap [sun.com].
Thanks ! ;-)))
Re:Well the only fool proof way... (Score:5, Funny)
Well the only fool proof way
If that sentence doesn't end with "from orbit" and have "nuke it" in there somewhere it just isn't true!
Re: (Score:2)
Did you read my sign ?
Re: (Score:2)
Re: (Score:2)
For the most part he probably could do that; but a well enough designed root kit could possibly replace the operating system interfaces libcap uses and not report its own traffic. That is certainly not your run of the mill botnet software or malware but stuff that can do that sorta thing does exist.
Re: (Score:2)
Or use a real switch with a port mirroring option. Or use wireshark installed locally. Regardless, this is remote support so he'll probably have to use some local options and the linksys log, netstat, etc. If he can manage a capture with wireshark then he's 99% of the way there.
Re: (Score:2)
Are we assuming that the packets will be obvious IRC packets or something? It would be suggestive of a botnet if lots of traffic was moving while the computer was idle, but that could always be background programs downloading updates or whatever. If a botnet used any sort of encryption, or even a binary protocol instead of ascii, it could be extremely difficult to tell it's a botnet by just looking at packets.
Re: (Score:2)
Re:Well the only fool proof way... (Score:5, Funny)
Is a father computer anything like a mother board?
Re:Well the only fool proof way... (Score:4, Funny)
Re:Well the only fool proof way... (Score:5, Funny)
If the answer to both your questions is "Yes", then you are most likely part of a botnet. This advice is free of charge.
Re:Well the only fool proof way... (Score:5, Informative)
netstat could be modified not to report the botnet connections if you are owned, hence the fool proof solution.
Re:Well the only fool proof way... (Score:5, Interesting)
I agree with your theory, however in practice, a hacker clearly has several million low hanging fruits running unpatched xp with antivirus which expired 60 days after the computer was purchased in 2006.
The idea that a botnet is really going to worry about the fraction of the fraction of a percent that knows about netstat seems improbable, though obviously not impossible, which is why I agree with you in theory, but in practice netstat would probably answer his question when a hub and a linux box is inconvenient. If someone has an example of a virus masking its connections through netstat I would both eat crow and be interested to hear it.
Re:Well the only fool proof way... (Score:5, Interesting)
The contents of the file was a text printout of the netstat command, re created every fifteen or so seconds, MINUS the offending connections. Just by waiting and opening the file again I got new netstat info.
Running the command, showed the contents of the text file, not the actual output of netstat. I could see traffic going on using a packet sniffer elsewhere on the network, so knew something was up.
Eventually just wiped and reinstalled anyway because it was faster than fighting it bit by bit.
So, there are such things out there, yeah, it doesn't make a whole lot of sense for them to spend much time on it, but a lot of that stuff is made from "kits" now days anyway so it's not a big deal to enable the feature.
Re: (Score:3, Interesting)
I'd assume you want to limit that to a virus actually spreading in the wild and manipulating netstat where it's running on an otherwise properly working Windows box. I'm pretty confident there's been cases where a laboratory proof of concept manipulation of netstat, nmap, or others have been accomplished. The real question is have any of these shown up on an actual machine in the wild, whether that machine was running a botnet or showing some other compromise, i.e. just being infected via to a root-kit. For
On the other hand, (Score:3, Insightful)
If the bogus netstat (and other utilities) are already part of the rootkit the skript ciddey downloaded, it doesn't cost the skript ciddey any more effort, and is even less likely to be noticed than strange output in netstat.
Re:Well the only fool proof way... (Score:5, Funny)
Did you know that both wireshark and tcpdump use libpcap? Wireshark has a pretty GUI, tcpdump is the command line version.
Perhaps it would help if I explained that in video format.
Captcha was "obvious", this is unnerving.
Proof of Infection? Clean Reinstall (Score:5, Informative)
As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...
Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"
If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.
I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.
Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.
You can run all the programs you want (Bothunter [bothunter.net], Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.
The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!
Re:Proof of Infection? Clean Reinstall (Score:5, Informative)
Get Autopatcher [autopatcher.com] and update it from a CD BEFORE you connect it to anything.
Re: (Score:2)
And please! For the love of Linux, remove Symantec products from your list.
Format and reinstall, if is the only way to be sure.
Re: (Score:2, Funny)
For a suspicion? Good luck with that.
idiot lights (Score:2, Informative)
look at the activity lights on the whatever you have for networking equipment. If the activity lights go ape after the system comes up, and stays that way, back up what's safe and reload it.
Assume it is .. (Score:5, Interesting)
Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.
In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.
Re:Assume it is .. (Score:5, Interesting)
You're doing it wrong.
You need an IDS/IPS system like a Fortigate or ASA that scans all incoming/outgoing packets for viruses/spyware/whatever, and blocks them before they get to the computer (as well as performing standard firewall duties like NAT and traffic filtering). You need Websense Express (or something similar) to block access to malicious websites (and inappropriate websites, which are often malicious anyway). You need to take away the Local Administrator rights from every user on the network, and use Group Policy to a) lock down Internet Explorer, and b) prevent them from installing any software and c)making any system changes.
This is all easy to do. Why aren't you doing it? For a small office, it wouldn't even be expensive.
Re:Assume it is .. (Score:5, Interesting)
All great points, here are mine.
1.) We are an architecture office which runs AutoCAD problem is this requires Power User group membership in order to run. (also on windows even without admin privs malicious software can infect.
2.) Unfortunately any expense is an expense, (economy doesn't help.) This is why you will note all my network software is freeware.
3.) My most malicious user is the owner of the company, who insist on having admin privies ( he equates user authority to company hierarchy) So he constantly does stuff like installs go to my pc, and leaves his system up and logged in.
unfortunately I don't live in your well funded and taken seriously IT world.
Re:Assume it is .. (Score:5, Insightful)
Re:Assume it is .. (Score:5, Informative)
All great points, here are mine.
1.) We are an architecture office which runs AutoCAD problem is this requires Power User group membership in order to run. (also on windows even without admin privs malicious software can infect.
No, AutoCAD doesn't require Power User membership. What it requires is someone to spend a few minutes to adjust the system to allow it (and pretty much anything else) to run with User perms only. Do a Google search for Filemon and Regmon formerly from SysInternals and now Microsoft free software. Run them (using RunAs since these DO require admin rights) while your users have normal perms. Set them to only show you what ACAD.EXE does. When it craps out (and it will), search the logs for Access Denied. Manually add perms for Users Full Control to the folders and registry keys that it requires. This will take several passes as the program will run better and better each time. Write down what you have to permit, so next time you install on a new machine you'll know what you need.
Almost none of my hundreds of supported desktops allow users to have admin rights. The ones I'm not PERMITTED to spend the labour tend to get owned periodically. The non-admin systems don't. Really. Since Win2k's release I have yet to have even one system actually get infected. Light damage, yes. Infected, no.
What... you think admins running Citrix or Terminal Servers just throw their hands up in the air and accept some lazy-ass vendor's word that their software NEEDS admin rights?
Re: (Score:3, Insightful)
Especially in a small business, your users will rebel if they can't install (or use) their software... which is quite reasonable given most people are still running Windows XP, and most XP software is not capable of being installed or sometimes even used without admin access... this is especially troublesome if that user happens to be the CEO/Owner.
You hardly ever have time/resources to "do it properly" in
Re:Assume it is .. (Score:4, Insightful)
You hardly ever have time/resources to "do it properly" in a small business, unless what you're "doing right" is a core competency of the business. The trick is to convince the guy who signs the checks that it is business/mission critical (often non-trivial).
Sure you do! It's called OSX. Now, before you flame me into submission, understand that I'm writing this on my Fedora Core Linux laptop. I'm a command-line junkie extraordinaire, and don't feel comfortable until I have an xterm or three up on one or two virtual desktops while running dual-head.
But there's a very real, very useful, and very definite benefit to running on OSX - there really is not just nearly as much of a problem with viruses, worms, trojans, and other crapware. Really really for real and yes, it's for real.
Really.
You can argue about marketshare or Unix core or whatever, but it's true - Macs *are* more reliable and *do* have much less of a problem with viruses and such. Who cares why? And if you really must run something windows like, you can get Parallels/VMWare or boot camp. (I recommend the former unless you are a gamer) Even better, if you go the VM route, you can easily save your Windows VM image to an external disk every week or so, and if/when it gets infected, just recover from a backup and be up and running again in minutes instead of days!
I didn't appreciate OSX until I had to port our software over to it. It was painful at first, but in the process, I fell hard-core in love with OSX. Except for the dated Unix command line, it's everything that Fedora Core ever dreamed of.
Re: (Score:3, Insightful)
You can argue about marketshare or Unix core or whatever, but it's true - Macs *are* more reliable and *do* have much less of a problem with viruses and such. Who cares why?
You will care about why when the market share numbers change. If MACS were 90% of the market, they'd be the ones with the botnets running on them, and the Windows machines would look just like Macs do to you. And it doesn't need to get to 90% for it to be that way. As the Mac marketshare continues to climb - and it will - you'll find that botmakers will target the Mac platform. They'll find holes. And they'll start to get infected. It is a function not of the OS, but a function of WHO is running them.
Re:Assume it is .. (Score:5, Interesting)
for a small office running windows the end users HAVE to run as admin, as Most windows apps require it. My HP printer drivers, and a couple of other apps require my to be fully logged in as an admin or they don't work basically preventing me from doing most of my work.
I know this as I tried it as I don't believe I should run as admin. Since Windows and MSFT doesn't force developers to code to security standards, including their own. Running as a non admin in a real world environment is impossible. Oh and just to really make you scratch One of those mission critical apps crashes on install because it loads the win16 subsystem for running.
It gets updated 3-4 times a year but it still requires win16 components. MSFT has enabled that in 2009 that win16 parts are required still. If MSFT would let go of old and outdated parts like the rest of the OS world shit like that wouldn't happen.
Re: (Score:3, Insightful)
I hate to break the Slashdot rules-of-posting, but I've got some sympathy for Microsoft here. A lot of the things Vista tried to do was to sweep away some of the old crud and make developers code more securely- that was what the whole Blah wants to do something- confirm or deny bit was about.
Everyone's reaction? Waaaaahhhh, my computer is far more annoying. Where are my XP disks?
MS are damned if they do sweep away old insecure crud (because old stuff stops working) and damned if the don't sweep old crud awa
Re:Assume it is .. (Score:5, Interesting)
You need layers of defense. preferably from different vendors or makers.
And really, this is Slashdot, why are you recommending Fortigate or ASA? you should be talking up Snort, or its commercial appliance version, Sourcefire.
Re: (Score:3, Interesting)
I would also block outgoing port 25 and then ask the users what smtp servers they use and whitelist those.
Getting the users to run as a non-privileged user will make clean-up much easier. Set their normal login to be a low-privilege user (and add network configuration so they can configure wireless networks), then give them their own administrat
Re: (Score:2, Funny)
and show them how to login as their normal username and use "run-as".
Awwww, how cute! He's trying to teach a user something!
Let's watch...
Re: (Score:2)
Actually, you can just block outgoing port 25 and leave it at that. Most E-mail providers use 587 for E-mail submission, and 465 for SSL based E-mail submission.
The difference is that 25 is intended to talk from a server to another server. 587 is for a MUA like Outlook, Thunderbird, mail.app or mutt to send mail to their "local" mail server, and that server controls authentication, then sends it to other servers via port 25. By separating this functionality, admins can block port port 25 completely excep
Re: (Score:3, Insightful)
Youre doing it wrong. Set your users to be users, not administrators. Give them permissions to exactly what they need and whatever special permission the applications they run need. Sure, it takes time at first, but once you figure it out then you're good for the rest.
Or you can take the lazy man's approach and set them as power users, which is almost like an administrator, but selectively remove modify/write permission from c:\windows, c:\program files, and other critical areas. Less secure but a bazill
Re: (Score:2)
If the machines are being used as generic hosts without any data saved locally, I'd consider the use of a program like DeepFreeze. This way, even if a user has admin authority on a box, should it get infected, a reboot will scrape all that junk off and roll back to the original frozen configuration. Even better is if the user has no admin authority, because this prevents malware that infects the user's profile from touching LocalSystem level processes.
I have used utilities that preserve the system state i
Check network connections (Score:2)
c:\>netstat -b
Re: (Score:3, Funny)
... and now imagine I chose 'Plain text'
c:\>netstat -b
Your computer is fine.
c:\>
Sweet!
See what is going on with NETSTAT (Score:5, Informative)
Fire up a command prompt and type
netstat -a | find "LISTENING"
to find out what ports your system is listening to. Running the netstat command will give you all the traffic. Should give you a good idea as to what is happening. (Helps to close all of your 'normal' apps)
Re: (Score:2)
Curious - which version of XP? Just ran that on my work laptop and it works fine. I'm running XP Pro 2002 SP2.
Re: (Score:2, Insightful)
Doesn't work in my already-compromised computer running XP.
FTFY
Re: (Score:3, Informative)
Considering GREP doesn't even exist in CMD and FIND does, I think the grandparent has it right and you're the one who is confused.
The command works fine, in Vista at least. Probably requires Admin privileges for full results.
Re:See what is going on with NETSTAT (Score:5, Funny)
This is windows. find == grep. Well, find < grep.
Re:See what is going on with NETSTAT (Score:5, Insightful)
You have Windows and Linux confused, as far as I can tell.
If you suspect the router itself (Score:5, Informative)
If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)
A simple,fast port scanner exists at http://www.grc.com/ [grc.com] (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.
For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html [nmap.org] , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.
No (Score:5, Funny)
Check out what's running when the OS boots (Score:2)
Boot into safe mode, then use a tool such as Autoruns by Sysinternals to see what's starting when Windows loads.
On an infected system you will see a number of drivers and shell extensions that are not a part of a standard Windows installation. Some of them may be things that were installed by the user, but most of them are malicious software.
Of course, getting rid of that stuff is an entirely different question.
Try using rubotted or dronebl (Score:2, Informative)
The rubotted tool does a pretty decent job of detecting most botted computers. Have your dad download it here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted [trendsecure.com]
You could also look for his system on the dronebl:
http://dronebl.org/ [dronebl.org]
Good luck!
Re: (Score:3, Informative)
You can tell if.. (Score:4, Funny)
Dear Slashdot (Score:2, Funny)
Default Settings (Score:2, Insightful)
For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time.
He probably just stuck a pencil in the reset button. Maybe because he was having connection problems for some other reason and that "fixed" it and he was happy. Ignorance is bliss ... for a while.
MalwareBytes (Score:2)
One word:
malwarebytes
Detecting and removing botnet software is its purpose in life.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol [cnet.com]
Some Answers to the questions asked here... (Score:5, Interesting)
1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.
Regards,
Ashraya
Re: (Score:3, Insightful)
Your implication seems to be that someone wandered by your fathers house, saw an open wireless network and decided to insert packets to own his machine.
WTF?!
This seems like a pretty unlikely method of building a botnet compared to spam, website security holes, application fail (office, adobe, gif).
It also seems to support the whole "sharing is bad" mentality that the RIAA and ISPs (and their net neutra
Oh, the irony... (Score:5, Funny)
Some chick named Alanis is calling you subby.
OS Check! (Score:5, Funny)
A: If it's got Windows on it, it is.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Computer viruses and trojans are social illnesses. Risk of social illness infection is greatly mitigated through behavior.
Simple check (Score:2, Funny)
Is it running windows?
Three things to look for. (Score:5, Informative)
If you are seeing netbios over tcp (port 445) traffic and he is not uploading/downloading files via the "My Network Places" interface he is most likely infected with a trojan.
If your seeing random high port to random high port traffic (ports 1024 - 65535 connecting to another ports 1024-65535) and he isn't doing P2P then he most likely is infected and the infection is trying to set up the machine as part of a bot net and trying to infect others.
If you are seeing UDP traffic on a consistent port on his machine to random high ports (1024-65535) on the outside, his machine is an active server in a bot net.
You've rebuilt the windows machines? (Score:3, Interesting)
You've rebuilt the windows machines? So, now you can not at all be sure if they were part of a botnet or not.
Chances are they were, and you've done the right thing by rebuilding them.
I think the details about the router with it's default password an no wireless security is a red herring - I've not heard of a botnet that tries to get in to your network by guessing standard admin passwords for common wireless routers. More likely it was a drive-by download from a dodgy web page, or a trojan in some downloaded software that put the malware on the machines.
Securing Linux Box? (Score:4, Interesting)
While we are on a topic of security:
Several months ago I started using Debian as my primary OS at home. I am very happy with it, but don't know much about how to keep it secure or how to tell if I had been compromised. Of course very basics are clear: I do not use root except in those instances of updates, etc. The consensus on this site is that if you run Linux then you are invincible, but I respectfully disagree. The system is only as secure as the competence of the user.
To cut the long story short:
- What do you normally do to make sure that your Linux system is clean? Is running apt-get upgrade regularly enough or is there more to it?
- What articles or books would you recommend to a newbie in this area? I am fully willing to RTFM as such, but please at least give me at least some direction on what to search for.
- Any other general tips, advice or wisdom would you be willing to share?
Thank you
Re: (Score:3, Informative)
-i heard its good to remove SUID from any binaries that have it set. check google for this, its some long command that involves xargs.
-check your /var/log/auth.log from time to time and make sure there arent a bunch of failed login attempts.
-if you see a lot of activity in auth.log and other logfiles pointing to repeated attempts at breaking into your system, identify the method theyre trying to get in through (usually ssh or ftp) and change the port. i usually use 2222 for ssh and 2121 for ftp, that stoppe
The takeaway... (Score:5, Interesting)
The Shark (Score:4, Informative)
Download and install Wireshark from http://www.wireshark.org/ [wireshark.org]
Fire it up and watch everything on the NIC
Re: (Score:2)