Re: Detecting Zombies?

DanB wrote:

I am the only person who uses Linux on the desktop at my place of work.
Naturally, everyone else has XP except for a couple with new machines and
Vista. At any given time half of them are running like they were 286's
from all the malware that they are infested with. So they reload the OS,
over and over.

I have long since stopped working on problem windows machines for clueless
users and have given up on trying to convince anyone that there is a far
better platform to surf from. If someone has a genuine interest in Linux
I will gladly help, but they must make the first move.

So, back to the virus/trojan/zombie problem. How does a person, who is
not a career network administrator, determine if their XP is zombied?
Years ago, I used to play with network protocols and stuff, but haven't
needed it for years. But the average user is never going to learn Snort
or the like. If the problem were on a Linux box, netstat might give an
indication, but with current browsers there are so many connections coming
and going all the time it isn't as simple as just looking at a snapshot of
the current connections.

With Windows what would you use? Bear in mind that there is no network
admin here. (Not me! - not my work assignment - besides, I am temporary
anyhow). Probably, there is no answer for non-techies.

Dan


Inside a dos box, enter netstat -a to list all the connections.
If should be about ten lines if idling.

install privoxy (free and open source - google for it) and direct all your
web traffic through that - it will log all outgoing standard http urls for
the user to see himself when his machine is accessing remote sites
even when WINDUMMY isn't doing anything.


.

Relevant Pages

  • RE: I think Ive been hacked...please help!
    ... ZA to reduce the number of connections. ... Have you run netstat? ... are these machines using publicly ... admin friend of yours left behind. ...
    (Incidents)
  • Re: telnet on local LAN question
    ... I did this on two machines ... Active Internet connections ... ridiculously block network traffic between 2 computers. ... - your network configurations - All computers need to have unique IP ...
    (Fedora)
  • DHCP Not working properly
    ... Desktop Workstations running Windows XP SP2 (wired network connections) ... These two machines will not pick up a DHCP address from the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows Defender - Warning Event ID 3004 -spoolsv.exe
    ... Ran netstat with switches at the command line and results show no foriegn ... Foriegn address shows as spoolsv is listed under the network group ... I ran spyware/malware repair/checkers beyond Defender and all show clean ... The Active Connections will be listed. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: network "stalls" ?
    ... Start, settings, control panel, network connections... ... > 30 seconds later I may or may not see all the machines on my network. ...
    (microsoft.public.win2000.networking)