Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Can I Tell If My Computer Is Part of a Botnet?

Posted by timothy on from the check-if-you-are-running-windows dept.

ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"

5 of 491 comments (clear)

  1. Re:Assume it is .. by iron-kurton · · Score: 5, Insightful

    Just a quick question: how hard would it be to give your most malicious user an account named Administrator that was actually not an administrator?

    --
    Change is inevitable, except from a vending machine -- Robert C. Gallagher
  2. Re:See what is going on with NETSTAT by Zalbik · · Score: 5, Insightful

    The parent has find and grep confused, as far as I can tell.

    You have Windows and Linux confused, as far as I can tell.

  3. Re:Well the only fool proof way... by Tacvek · · Score: 3, Insightful

    Ethernet using cat5 cabling was specifically designed such that the cheapest hubs would just be RJ45 jacks wired together passively. So one could make a "hub cable" in theory.

    Interestingly another instructable linked to the one he showed, was about how to use 1 cat5 cable to every jack in the house to support both phone and Ethernet data.

    This person was apparently unaware of the fact that a phone cords 6P4C or 6P2C cable will happily fit into the wider 8P jack. (That is to say that phone cable will plug into Ethernet jacks by design).

    Further the Ethernet wiring standard deliberately has pins 3-6 (which correspond to pins 2-5 in a phone style jack, which are the 4 that are normally connected in a phone jack) connected identically to standard phone cord. Further Pins 4 and 5 are deliberately unused in 100Mbs Ethernet, which is the one pair necessary for a single phone line.

    Thus if you have a house wired for Ethernet but not phone, adding support for phones to all the jacks is as simple as using Ethernet switches that connect pin 4 of all jacks together and pin 5 of all jacks together, and then plug a pone line into one of the jacks in the switch. (I would actually be surprised if there were not Ethernet switches specially designed for that).

    --
    Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  4. Re:Assume it is .. by mcrbids · · Score: 4, Insightful

    You hardly ever have time/resources to "do it properly" in a small business, unless what you're "doing right" is a core competency of the business. The trick is to convince the guy who signs the checks that it is business/mission critical (often non-trivial).

    Sure you do! It's called OSX. Now, before you flame me into submission, understand that I'm writing this on my Fedora Core Linux laptop. I'm a command-line junkie extraordinaire, and don't feel comfortable until I have an xterm or three up on one or two virtual desktops while running dual-head.

    But there's a very real, very useful, and very definite benefit to running on OSX - there really is not just nearly as much of a problem with viruses, worms, trojans, and other crapware. Really really for real and yes, it's for real.

    Really.

    You can argue about marketshare or Unix core or whatever, but it's true - Macs *are* more reliable and *do* have much less of a problem with viruses and such. Who cares why? And if you really must run something windows like, you can get Parallels/VMWare or boot camp. (I recommend the former unless you are a gamer) Even better, if you go the VM route, you can easily save your Windows VM image to an external disk every week or so, and if/when it gets infected, just recover from a backup and be up and running again in minutes instead of days!

    I didn't appreciate OSX until I had to port our software over to it. It was painful at first, but in the process, I fell hard-core in love with OSX. Except for the dated Unix command line, it's everything that Fedora Core ever dreamed of.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. Re:Well the only fool proof way... by bugg · · Score: 4, Insightful

    In practice, I'd run the sniffer on the machine if there was already one there. The absence of the sniffer revealing traffic does not mean there is no traffic, but if the sniffer shows traffic it's a safe bet it's real. Frankly I've yet to hear of any rootkits that would let the sniffer still work and not show the compromised traffic, I think it's more of an in-theory than in-practice. Because I mean, I suspect users who know how to operate sniffers are an edge case for botnet authors. If you've got the sniffer on the machine and can easily run it, why not? A fine alternative is setting up a span port (monitor port) on the switch. I work with managed switches all day, so I'm spoiled in this regard - I don't really think that's an option for the OP however, linksys switches tend to be pretty dumb.

    --
    -bugg