Software advice - hack / backdoor finder

Hypn0tik · Mar 5, 2003

Not sure how to explain it.....anyone know of any good software which will check your computer to see if anyone has remote access to it or if it has any exposed backdoors ect....? Not 100% how to explain it but im sure someone will know what I mean

TeckMan · Mar 5, 2003

a firewall?
if you wanna check right now to see if anybody's connected type netstat in a prompt in XP.

Triangle · Mar 5, 2003

TeckMan said:
a firewall?
if you wanna check right now to see if anybody's connected type netstat in a prompt in XP.

netstat works. There are programs out there that will show you what file is connected on what ports. Can't remember the name.

Tribal Imperialist · Mar 5, 2003

give me your ip

Triangle · Mar 5, 2003

127.0.0.1

Hypn0tik · Mar 5, 2003

is this bad? lol

Active Connections

Proto Local Address Foreign Address State
TCP bt-7hdhj4a5rp8l:1027 localhost:4196 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4198 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4200 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4202 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4204 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1248 64.12.25.67:5190 ESTABLISHED
TCP bt-7hdhj4a5rp8l:1874 198.74.33.66:6667 ESTABLISHED
TCP bt-7hdhj4a5rp8l:4197 63.99.109.171

op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4199 208.50.7.212

op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4201 imv15.mail.bellsouth.net

op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4203 66-162-74-6.gen.twtelecom.net

op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4205 208.50.7.212

op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4207 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4208 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4210 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4211 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4213 65.221.101.43:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4214 65.221.101.43:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4215 216.120.226.229:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4216 fdcservers.net:http CLOSE_WAIT

C:\DOCUME~1\BT>

Excel · Mar 5, 2003

Triangle said:
127.0.0.1

Ciceron · Mar 5, 2003

Hypn0tik said:
is this bad? lol

Active Connections

Proto Local Address Foreign Address State
TCP bt-7hdhj4a5rp8l:1027 localhost:4196 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4198 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4200 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4202 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4204 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1248 64.12.25.67:5190 ESTABLISHED
TCP bt-7hdhj4a5rp8l:1874 198.74.33.66:6667 ESTABLISHED
TCP bt-7hdhj4a5rp8l:4197 63.99.109.171op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4199 208.50.7.212op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4201 imv15.mail.bellsouth.netop3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4203 66-162-74-6.gen.twtelecom.netop3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4205 208.50.7.212op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4207 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4208 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4210 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4211 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4213 65.221.101.43:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4214 65.221.101.43:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4215 216.120.226.229:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4216 fdcservers.net:http CLOSE_WAIT

C:\DOCUME~1\BT>

I would say you have some spyware (if all browsers are closed).

Zwitterion · Mar 5, 2003

ps -A

TeckMan · Mar 5, 2003

ya close ALL of your programs, then run the netstat. use a reverse dns (google for it) service on the IPs of the connections or type them in a browser to see what they are.

NAT Mav · Mar 5, 2003

TCP bt-7hdhj4a5rp8l:1248 64.12.25.67:5190 ESTABLISHED
TCP bt-7hdhj4a5rp8l:1874 198.74.33.66:6667 ESTABLISHED
TCP bt-7hdhj4a5rp8l:4197 63.99.109.171op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4199 208.50.7.212op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4205 208.50.7.212op3 TIME_WAIT

Those would be worth checking into.

FUBAR|Ascain · Mar 5, 2003

Proto Local Address Foreign Address State
TCP bt-7hdhj4a5rp8l:1027 localhost:4196 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4198 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4200 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4202 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1027 localhost:4204 TIME_WAIT
TCP bt-7hdhj4a5rp8l:1248 64.12.25.67:5190 ESTABLISHED
TCP bt-7hdhj4a5rp8l:1874 198.74.33.66:6667 ESTABLISHED

This is typical of an instant messenger program similar to Trillian

TCP bt-7hdhj4a5rp8l:4197 63.99.109.171: pop3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4199 208.50.7.212: pop3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4201 imv15.mail.bellsouth.net: pop3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4203 66-162-74-6.gen.twtelecom.net: pop3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4205 208.50.7.212: pop3 TIME_WAIT

These are closed sessions to your mail servers, it looks like you have 5 accounts set up

TCP bt-7hdhj4a5rp8l:4207 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4208 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4210 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4211 ads.web.aol.com:http TIME_WAIT
TCP bt-7hdhj4a5rp8l:4213 65.221.101.43:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4214 65.221.101.43:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4215 216.120.226.229:http CLOSE_WAIT
TCP bt-7hdhj4a5rp8l:4216 fdcservers.net:http CLOSE_WAIT

This is your websurfing. Notice that most ad links don't actually close the session...
this is generally for cookie tracking allowing them to trace your progress across the net.

To be sure, grab TCPView (it's free) and check what actual applications have the ports mapped. It will verify if you have trojans or spyware listening.

cyclozine · Mar 5, 2003

NAT Mav said:
TCP bt-7hdhj4a5rp8l:1248 64.12.25.67:5190 ESTABLISHED
TCP bt-7hdhj4a5rp8l:1874 198.74.33.66:6667 ESTABLISHED
TCP bt-7hdhj4a5rp8l:4197 63.99.109.171op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4199 208.50.7.212op3 TIME_WAIT
TCP bt-7hdhj4a5rp8l:4205 208.50.7.212op3 TIME_WAIT

Those would be worth checking into.

why would irc and pop3 be something to check into?

hypno, netstat -an | find "LISTEN" and see if there's anything that shouldn't be there

RabidWolf · Mar 5, 2003

Hypn0tik said:
Not sure how to explain it.....anyone know of any good software which will check your computer to see if anyone has remote access to it or if it has any exposed backdoors ect....? Not 100% how to explain it but im sure someone will know what I mean

like this?
https://grc.com/x/ne.dll?bh0bkyd2

NAT Mav · Mar 5, 2003

cyclozine said:
why would irc and pop3 be something to check into?

hypno, netstat -an | find "LISTEN" and see if there's anything that shouldn't be there

Shit. I didn't even look at the ports on those.

Drakar · Mar 5, 2003

Code:

Proto  Local Address          Foreign Address        State
  TCP    bt-7hdhj4a5rp8l:4207   ads.web.aol.com:http   TIME_WAIT
  TCP    bt-7hdhj4a5rp8l:4208   ads.web.aol.com:http   TIME_WAIT
  TCP    bt-7hdhj4a5rp8l:4210   ads.web.aol.com:http   TIME_WAIT
  TCP    bt-7hdhj4a5rp8l:4211   ads.web.aol.com:http   TIME_WAIT

Those are most likely from the ads in AIM, not websurfing.

Ciceron · Mar 5, 2003

cyclozine said:
netstat -an | find "LISTEN" and see if there's anything that shouldn't be there

Code:

C:\>netstat -an | find "LISTEN"
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3626           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING
  TCP    192.168.1.100:139      0.0.0.0:0              LISTENING

0.0.0.0??????????????????????????

Tribal Imperialist · Mar 5, 2003

Excel said:

Hey look, it's the first time the cute little member got a tech joke

Software advice - hack / backdoor finder

More options

Hypn0tik

Tribes-Universe.com

TeckMan

Triangle

Banned

Tribal Imperialist

Triangle

Banned

Hypn0tik

Tribes-Universe.com

Excel

Contributor

Ciceron

Contributor

Zwitterion

TeckMan

NAT Mav

TW Racing++

FUBAR|Ascain

cyclozine

RabidWolf

NAT Mav

TW Racing++

Drakar

Ciceron

Contributor

Tribal Imperialist