API tools faq
paste
FederationHax

How To Know If I am Infected ?

FederationHax
Sep 23rd, 2016
177
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.42 KB | None | 0 0
raw download clone embed print report
  1. When you first turn on you computer (BEFORE DIALING INTO YOUR ISP),
  2. open a MS-DOS Prompt window (start/programs MS-DOS Prompt).
  3. Then type netstat -arn and press the Enter key.
  4. Your screen should display the following (without the dotted lines
  5. which I added for clarification).
  6.  
  7. -----------------------------------------------------------------------------
  8. Active Routes:
  9.  
  10. Network Address Netmask Gateway Address Interface Metric
  11. 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
  12. 255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
  13.  
  14. Route Table
  15.  
  16. Active Connections
  17.  
  18. Proto Local Address Foreign Address State
  19.  
  20. --------------------------------------------------------------------------------
  21.  
  22. If you see anything else, there might be a problem (more on that later).
  23. Now dial into your ISP, once you are connected;
  24. go back to the MS-DOS Prompt and run the same command as before
  25. netstat -arn, this time it will look similar to the following (without
  26. dotted lines).
  27.  
  28. -------------------------------------------------------------------------------------
  29.  
  30. Active Routes:
  31.  
  32. Network Address Netmask Gateway Address Interface Metric
  33. 0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
  34. 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
  35. 216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
  36. 216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
  37. 216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
  38. 224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
  39. 255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1
  40.  
  41. Route Table
  42.  
  43. Active Connections
  44.  
  45. Proto Local Address Foreign Address State
  46. TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
  47. TCP 216.1.104.70:137 0.0.0.0:0 LISTENING
  48. TCP 216.1.104.70:138 0.0.0.0:0 LISTENING
  49. TCP 216.1.104.70:139 0.0.0.0:0 LISTENING
  50. UDP 216.1.104.70:137 *:*
  51.  
  52. --------------------------------------------------------------------------------
  53.  
  54. What you are seeing in the first section (Active Routes) under the heading of
  55. Network Address are some additional lines. The only ones that should be there
  56. are ones belonging to your ISP (more on that later). In the second section
  57. (Route Table) under Local Address you are seeing the IP address that your ISP
  58. assigned you (in this example 216.1.104.70).
  59.  
  60. The numbers are divided into four dot notations, the first three should be
  61. the same for both sets, while in this case the .70 is the unique number
  62. assigned for THIS session. Next time you dial in that number will more than
  63. likely be different.
  64.  
  65. To make sure that the first three notation are as they should be, we will run
  66. one more command from the MS-DOS window.
  67. From the MS-DOS Prompt type tracert /www.yourispwebsite.com or .net
  68. or whatever it ends in. Following is an example of the output you should see.
  69.  
  70. ---------------------------------------------------------------------------------------
  71.  
  72. Tracing route to /www.motion.net [207.239.117.112]over a maximum of 30 hops:
  73. 1 128 ms 2084 ms 102 ms chat-port.motion.net [216.1.104.4]
  74. 2 115 ms 188 ms 117 ms chat-core.motion.net [216.1.104.1]
  75. 3 108 ms 116 ms 119 ms www.motion.net [207.239.117.112]
  76. Trace complete.
  77.  
  78. ------------------------------------------------------------------------------------------
  79.  
  80. You will see that on lines with the 1 and 2 the first three notations of the
  81. address match with what we saw above, which is a good thing. If it does not,
  82. then some further investigation is needed.
  83.  
  84. If everything matches like above, you can almost breath easier. Another thing
  85. which should you should check is programs launched during startup. To find
  86. these, Click start/programs/startup, look at what shows up. You should be
  87. able to recognize everything there, if not, once again more investigation is
  88. needed.
  89.  
  90. -------------------------------------------------------------------------------------------
  91.  
  92. Now just because everything reported out like we expected (and demonstrated
  93. above) we still are not out of the woods. How is this so, you ask? Do you use
  94. Netmeeting? Do you get on IRC (Internet Relay Chat)? Or any other program
  95. that makes use of the Internet. Have you every recieved an email with an
  96. attachment that ended in .exe? The list goes on and on, basically anything
  97. that you run could have become infected with a trojan. What this means, is
  98. the program appears to do what you expect, but also does just a little more.
  99. This little more could be blasting ebay.com or one of the other sites that
  100. CNNlive was talking about.
  101.  
  102. What can you do? Well some anti-virus software will detect some trojans.
  103. Another (tedious) thing is to start each of these "extra" Internet programs
  104. one at a time and go through the last two steps above, looking at the routes
  105. and connection the program uses. However, the tricky part will be figuring
  106. out where to tracert to in order to find out if the addresses you see in
  107. step 2 are "safe" or not. I should forewarn you, that running tracert after
  108. tracert, after tracert might be considered "improper" by your ISP. The steps
  109. outlined above may not work exactly as I have stated depending upon your ISP,
  110. but with a true ISP it should work. Finally, this advise comes with NO
  111. warranty and by following my "hints' you implicitly release me from ANY and
  112. ALL liability which you may incur.
  113.  
  114.  
  115. Other options
  116.  
  117. Display protocol statistics and current TCP/IP network connections.
  118. Netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [intervals]
  119.  
  120. -a.. Display all connections and listening ports.
  121. -e.. Display Ethernet statistics. This may be combined with the -s option.
  122. -n.. Diplays address and port numbers in the numerical form.
  123. -p proto..Shows connections for the protocol specified by proto; proto may be
  124. TCP or UDP. If used with the -s option to display per-protocol statistics,
  125. proto may be TCP, UDP, of IP.
  126. -r.. Display the routing table.
  127. -s.. Display per-protocol statistics. By default, statistics are shown for TCP
  128. UDP and IP; the -p option may be used to specify a subset of the default
  129. interval..Redisplay selected statistics, pausing intervals seconds between each
  130. display. If omitted. netstat will print the current configuration information
  131. once
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!