BACKDOOR

Data that travels over the air and how to protect (or decipher) it

BACKDOOR

Post by 88crawler88 on Sat Jun 14, 2008 5:33 am
([msg=4782]see BACKDOOR[/msg])

Hi , I started studing informatics by few time so I know very few things on networks world ( can barely use telnet to read my e-mail or controll if a ip is valing throgh "ping" , in short things like theese ). But just yesterday I removed the win32.agent from my pc and it's very irritant know that someone can have access to my datas. So my question is : is there a way to know the attacker' s IP ( i'd like even only a theorycal explanation, because I think with my ability I could not traceback no one) ? I read the only one way to be sure after you take a backdoor is to format PC , is this true? Thanks
88crawler88
New User
New User
 
Posts: 15
Joined: Wed Apr 16, 2008 7:54 pm
Blog: View Blog (0)


Re: BACKDOOR

Post by int3grate on Tue Jun 17, 2008 3:53 pm
([msg=5065]see Re: BACKDOOR[/msg])

If someones connecting to your machine, you can get the IP address of that person. You computer has to know the IP address of the person connecting, so it can talk to it. Problem is, most "attackers" don't directly attack from their own machine. They usually perform attacks from machines they have broken into. So most of the time when you get "attacked" your getting attacked by a victim machines that doesn't know (or maybe it does) that it's been pwned.
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: BACKDOOR

Post by feard0m on Thu Jun 19, 2008 3:30 pm
([msg=5285]see Re: BACKDOOR[/msg])

I'm pretty sure wireshark would work.
feard0m
New User
New User
 
Posts: 1
Joined: Wed Jun 18, 2008 5:59 pm
Blog: View Blog (0)


Re: BACKDOOR

Post by int3grate on Fri Jun 20, 2008 3:25 pm
([msg=5363]see Re: BACKDOOR[/msg])

feard0m wrote:I'm pretty sure wireshark would work.


You don't need wireshark for that... You can use Windows built in tool called netstat (you can run it from command prompt), or if you want something a little bit easier to use, you can use TCPView which is a sysinternals tool you can download from Microsoft (see link below).

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: BACKDOOR

Post by 88crawler88 on Tue Jun 24, 2008 2:14 pm
([msg=5684]see Re: BACKDOOR[/msg])

ok , i' ve used netstat and tracert but I could not find the location of the "guilty" IP , because there are a series of asteriscs and points instead of the IP of the crossing-points , I think those has a firewall , can it be? I ' ll try even wireshark and will let you know.
88crawler88
New User
New User
 
Posts: 15
Joined: Wed Apr 16, 2008 7:54 pm
Blog: View Blog (0)


Re: BACKDOOR

Post by 193zaitsev on Tue Jun 24, 2008 7:04 pm
([msg=5710]see Re: BACKDOOR[/msg])

I believe asterisk only means that the router does not send error responses, nothing to do with a firewall.
193zaitsev
New User
New User
 
Posts: 36
Joined: Wed May 21, 2008 10:28 pm
Location: USA
Blog: View Blog (0)


Re: BACKDOOR

Post by 88crawler88 on Thu Jun 26, 2008 4:09 am
([msg=5801]see Re: BACKDOOR[/msg])

it can be just like you say , but why the router does this ? if I had all asteriscs I can think there is a problem with my router, but tracert gives me back 4 IP on the screen while the other ones are replaced with asteriscs. so i ask myself why that IP are not "available".
88crawler88
New User
New User
 
Posts: 15
Joined: Wed Apr 16, 2008 7:54 pm
Blog: View Blog (0)


Re: BACKDOOR

Post by 193zaitsev on Thu Jun 26, 2008 11:07 am
([msg=5827]see Re: BACKDOOR[/msg])

It would just mean the owner of that router turned off responding to errors for either efficiency or security reasons (or other reason?). Each time or asterisk that you get from tracert is a single packet that is created specifically to cause and error by changing the time to live flag on the IP packet, so if you don't receive a error response (time out) then you are supplied with an asterisk. It could be a firewall that is blocking sending out error responses.

If the host your trying to tracert to does not send error responses, then (I'm not sure about this, just speculating) maybe your tracert doesn't know to stop increasing time-to-live and thus keeps increasing it going on when it wasn't supposed to and getting constant asterisks.

If you don't know the IP though, then how are you tracert'ing to it?
193zaitsev
New User
New User
 
Posts: 36
Joined: Wed May 21, 2008 10:28 pm
Location: USA
Blog: View Blog (0)


Re: BACKDOOR

Post by 88crawler88 on Thu Jul 03, 2008 3:34 am
([msg=6428]see Re: BACKDOOR[/msg])

I know the IP but I' m not sure it's that the one that caused the backdoor to get access to my computer, cause I ' ve examined some "log " of netstat before I' ve deleted the backd. so I can't say with sureness that's the "guilty" IP , so I was tring to know who ' s after that IP , so that I can say "ok , it' s not him , because is the site of a big multinational" or " This IP is suspect". But I neither couldn't find information on what 's the crossing point of the IP or who the IP is .
88crawler88
New User
New User
 
Posts: 15
Joined: Wed Apr 16, 2008 7:54 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests