May 24th, 2003, 12:47 AM
May 24th, 2003, 01:02 AM
Ted0b1 showed that in his tutorial here . There are a lot of other useful tricks in his netcat tutorials... look at the tutorial index for the rest of them.
Thats not going to do you much good if you haven't uninstalled that trojan... it has keylogging capabilities....
As a port blocker:
If you have port 139 open (or any other port associated with a service) you can block file sharing and instead send a message to anyone connecting:
NC –L –s xxx.xxx.xxx.xxx –p 139 –e warning.bat
call netstat -n
echo Now get the hell out of here lamer!
Call netstat –n >>nclog.txt
When someone telnets to your 139 they will see a record of their connection and someone telling them to beat it, plus you keep a record in a text file and their connection is closed when the batch file (or other executable) finishes.
To do this and catch the data before netbios gets it, you must anchor nc to this interface on that port. This is done with the ‘-s’ and ‘–p’ options, which in this case would be the ip assigned to this connection (interface) and –p 139. If netbios was not enabled the –s option would not be necessary unless you had 2 interfaces (multi-homed)
Even more aggressive strategies can be used on say, well known Trojan ports. Its up to your imagination and the law.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
May 24th, 2003, 03:40 AM
here's a little "look-&-see"
1. if anyone "trojaned"/"backdoored" you they would pbbly have the server ask for a pswd (unless the lamer shared it w/ his friends. all 14 of them?? that's unlikely
2. therefore... check your computer for more maleware....14 connection???? hmmm...
3. check the outgoing and incomming ports.. are you sure they are INcommming and not OUTgoing
4. what are the socket #'s ... are they all the same
5. check all the IP's for running IRC server
I think you'd have some kind of IRC eggdrop bot running somwhere... you know... like DDOS zombie, but that's all just assumptions... let us see the IP's and port #'s
May 24th, 2003, 05:11 AM
at www.blackcode.com there is a firewall called killerwall and you can have it send a text message or a syn flood(very naughty so don't) to someone when they try to connect on a specified port , it also has a lot of good monitoring info(hidden windows,ports , packets.......)
May 25th, 2003, 07:24 PM
Ok, heres what my trojaned computer is being used for.
Disclaimer, I would take something like this seriously, and delete it at first knowledge. My parents are hardheaded and stupid when it comes to the internet and anything PC realated. Ex. mother thinks I'm hacking when I open a dos prompt and type netstat. . Oh well, its not my computer, therefore I cant MAKE them backup there files so I can format this POS and start over from scratch. However, this will make you all say WTF, and maybe even open their eyes as to the seriousness of this.
-A proxy for portscans to other systems.
-A password cracker (only reason I say this is because my page file usage and CPU usage is VERY high, could be wrong)
-A web proxy
-FTP server ( I have yet to find the directories)
-People are telnetting in and out.
-Been sending massive amounts of SYN, ACK, and ICMP packets to 3 different hosts, most likely a DDOS.
-SMB requests going all over the internet.
-sending messenger popups
and thats just what I've figured so far.
-They've deleted local files including Norton AV, AOL (cant blame them), Fport, my installation of Nmap, My firewall (reinstalled in vain), etc.
-They're connecting to my fathers buisiness use only computer on our home network. I believe it uses a VPN to connect to the corporate network. You get the point.
-My mother uses THIS computer to log into a certain universitys FTP and web servers.
-Trojan has a keylogger
I know this is bad, and needs to be remidied ASAP, but I would be on the street if I went against their word on this one.
Oh well, I think I have a big I told you so coming.
May 26th, 2003, 05:43 PM
Hmmmm.. sounds very similar to mine....
May 26th, 2003, 10:38 PM
Meaning you wrote the trojan? or you have a similar type of problem on your box?
Hmmmm.. sounds very similar to mine....
May 27th, 2003, 06:26 PM
Oh God don't...that's how rumors get started lolol...actually I just read your reference to the high pagefile, and I went off to look it up. What the machine I was working on had was the God Damned BackDoor-G. Yes, I renamed it that. Its Sounds better. Anyway, I'm still workin' on yours. Miah