Check your machines for Zombies...

greenspun.com : LUSENET : Unofficial Newcastle United Football Club BBS : One Thread

Just been reading an article on internet attacks and how some of the more common ones are performed....most are done by using unsuspecting peoples machines with the aid of zombie programs.... The article suggests a couple of checks you can do to detect whether you zombies running or not... Close ALL IRC related programs, open a MS-DOS Prompt window and type the command line

netstat -an | find ":6667"

If a line resembling the one shown below is NOT displayed, your computer does not
have an open connection to an IRC server running on the standard IRC port.
If, however, you see something like this:

TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED

You are in TROUBLE!

A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident"
server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server
happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server
running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following
command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space"
after the 113 and before the closing double-quote.) If, however, you see something like this:

TCP 0.0.0.0:113 0.0.0.0:0 LISTENING

Installing ZoneAlarm v2.6 (free from www.zonelabs.com) will prompt you every time a suspected connection to the internet is attempted and give you the option to
not allow it thereby negating the Zombie from using your machine.

The full article is on http://grc.com/dos/grcdos.htm for anyone that wants to read it...

-- Anonymous, May 31, 2001

Answers

Hope I haven't bored you all to death with that.....shame about the formatting eh :((

-- Anonymous, May 31, 2001

What harm can they do to the average PC?

-- Anonymous, May 31, 2001

Oh mate they can do anything when you're connected to the net....basically they can spy on EVERY character you type....so they can get any passwords, credit cards details etc that you might enter into your machine....they are also used to attack other machines on the internet...

-- Anonymous, May 31, 2001

I downloaded a version of Zone alarm a couple of months ago, so I guess I ought to get it installed!

-- Anonymous, May 31, 2001

I guess you should :))

I however am TOTALLY safe at home......neither of the effing phone companies (BT or cable) can get a phone line installed in my place without knocking down some walls cos of the cowboy wiring job done in the first place....you don't get much for 2.5k rent a month in london! :((

-- Anonymous, May 31, 2001



You must have women falling over you, friends have mine have told me they are always so impressed with talk of Zombies, DOS prompts and TCP/IP addresses.

-- Anonymous, May 31, 2001

Gav I recently installed a new firewall called Hacktracer, and would now never go on oline without it, when I first ran it I had a window popping up every ten seconds to alert me about something untoward happening, but I suppose some of these could be innocent though. Bit scary what people can do with other peoples PC'S. I was told that by d/l and installing one of these freeware firewalls that it would stand up to the general hacker(whatever that means)hell I can even trace them now and report them to their ISP :-)))

-- Anonymous, May 31, 2001

Just curious and now a little suspicious thanks to Gav like. Its probably nowt but, can any one tell me what does the warning flash 'GBDASH' means? I seem to get this 'GBDASH' warning when ever I log on. I asked the experts at blueyonder, but they didnt have a clue. Does any techies know out like?

-- Anonymous, May 31, 2001

Gav, you have succeeded in completely baffling me technically (though I know it doesn`t take much), and frightening me half to death with mental images of zombies lurking in my computer! If I offer to cook you dinner, will you come and exorcize my system? (:o)

How about if I promise NOT to cook you dinner? Is that a better offer?(;o)

-- Anonymous, May 31, 2001


In the event of you not taking up either offer....can you tell me what an IRC is? In hindsight you may decide that it would be safer for me just to learn to co-habit with these zombie lurkers......after all, I`ve had years of practice!(;o)

-- Anonymous, May 31, 2001


TSmith....if you're with Blue Yonder then you're on a cable modem....god these hackers love people with those, i'd be very careful if I were you mate :))

Gal, i'd check it if i were gonna get the chance to come down anytime soon but it's not likely honey....I'm cetain the Yellster can manage it....IRC is Internet Relay Chat, Yelli uses it quite a bit.....that has nothing to do with how susceptable your system is however....

-- Anonymous, June 01, 2001


Thanks Gav......I`ll get Yelli to have a look at the weekend.(:O)

-- Anonymous, June 01, 2001

This Zombie thing is all well and good but £2.5k a month rent, have I missed something, you could buy a house in Darrass Hall next to wor Al and pay less mortgage.

-- Anonymous, June 01, 2001

That's london for you Tony....it isn't even a fantastic place, just close to work so me and the missus don't have to get on that poxy tube...

-- Anonymous, June 01, 2001

Gav/TSmith,

Just out of interest - just being with BlueYonder doesn't automatically mean you are connected via a cable modem. The cable modems are used to connect you to their "high speed access" service, with which you are permanently connected.

I subscribe to their SurfUnlimited, unlimited access but snail-speed service, and still use a standard v90/56k modem.

-- Anonymous, June 01, 2001



Gav - All of that first bit you've wrote - it's just noise :-)

-- Anonymous, June 01, 2001

Moderation questions? read the FAQ