My question about them though is this. With this latest virus in the spotlight a lot of people are talking about the "backdoors" these viruses create so that when the people who sent the virus want to, they can turn them into DOS warriors. So my question is, is it really that hard to find these backdoors? Why can't MS or Symantec or Norton come up with a backdoor detector?
http://grc.com/dos/grcdos.htm
A Quick & Easy Check for IRC Zombie/Bots
If you have managed to read all the way through this lengthy and detailed adventure, I am sure you will agree that you do NOT want any of these nasty Zombies or their relatives running around loose inside your PC. Fortunately, it's quite easy to verify that your system is not currently infected by one of these IRC Zombie/Bots.
All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".
Consequently, an active connection to an IRC server can be detected with the following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem!
Note that a Windows IRC client program running in the PC will generate false-positive reports since these are tests for IRC client programs. So be sure to completely exit from any known IRC client programs BEFORE performing the tests above.
A Quick & Easy Check for IRC Zombie/Bots
If you have managed to read all the way through this lengthy and detailed adventure, I am sure you will agree that you do NOT want any of these nasty Zombies or their relatives running around loose inside your PC. Fortunately, it's quite easy to verify that your system is not currently infected by one of these IRC Zombie/Bots.
All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".
Consequently, an active connection to an IRC server can be detected with the following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem!
Note that a Windows IRC client program running in the PC will generate false-positive reports since these are tests for IRC client programs. So be sure to completely exit from any known IRC client programs BEFORE performing the tests above.
<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Originally posted by trytrytry:
how do you open a DOS prompt in Windows! Other than watching the startup routines I have not seen a DOS prompt in 10 years!
Thanks!<HR></BLOCKQUOTE>
Click "start" then "run" then type in "cmd" . That takes you to DOS.
how do you open a DOS prompt in Windows! Other than watching the startup routines I have not seen a DOS prompt in 10 years!
Thanks!<HR></BLOCKQUOTE>
Click "start" then "run" then type in "cmd" . That takes you to DOS.
That is an outstanding article linked above. Long, but very much worth reading. Steve Gibson very much knows his hax0r sh1te. Note that the article was written in 2001, and that despite the fact that Gibson is a well-known and respected security expert, his warnings that DDOS attacks would "eventually" (ahem) move from being the territory of annoying but relatively harmless script kiddies to being that of professional extortionists and eventually terrorists have gone ignored.
I can also verify that his comments regarding Earthlink are true and accurate to this day. I have never encountered a tech support team less technically adept in my entire life. When the machines on the desk are considered smarter than the person sitting in front of them, it's time for a new tech department.
trytrytry
If you're using windows, Click Start-->Programs-->Accessories-->MS-DOS Prompt
Phaedrus
I can also verify that his comments regarding Earthlink are true and accurate to this day. I have never encountered a tech support team less technically adept in my entire life. When the machines on the desk are considered smarter than the person sitting in front of them, it's time for a new tech department.
trytrytry
If you're using windows, Click Start-->Programs-->Accessories-->MS-DOS Prompt
Phaedrus
Also, you might get a copy of ZombieZapper, which can detect control some types of zombie files. Unfortunately, the hacking market being what it is, it will probably not work in another couple of months, but it's available.
Phaedrus
Phaedrus
<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Originally posted by WildBill:
I tried it and nothing showed up so I hope I am ok. Still seems like all these security companies and MS could create an easy to use version of this in a patch and it would surely help cut down on the DOS attacks and all kinds of other issues plaguing the net today.<HR></BLOCKQUOTE>
No, not that easy. DoS attacks require infinitely more diligence.
I tried it and nothing showed up so I hope I am ok. Still seems like all these security companies and MS could create an easy to use version of this in a patch and it would surely help cut down on the DOS attacks and all kinds of other issues plaguing the net today.<HR></BLOCKQUOTE>
No, not that easy. DoS attacks require infinitely more diligence.
