NT ports
All of the IRC Zombie/Bots open and maintain static connections to remote
IRC chat servers whenever the host PC is connected to the Internet. Although
it is possible for an IRC chat server to be configured to run on a port
other than "6667", every instance I have seen has used the IRC default port
of "6667".
Consequently, an active connection to an IRC server can be detected with the
following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the
"Enter" key. If a line resembling the one shown below is NOT displayed, your
computer does not have an open connection to an IRC server running on the
standard IRC port. If, however, you see something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect
your PC from the Internet! A second and equally useful test can also be performed. Since IRC servers
generally require the presence of an "Ident" server on the client machine,
IRC clients almost always include a local "Ident server" to keep the remote
IRC server happy. Every one of the Zombie/Bots I have examined does this.
Therefore, the detection of an Ident server running in your machine would be
another good cause for alarm. To quickly check for an Ident server, type the
following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on
the default Ident port of "113". (Note the "space" after the 113 and before
the closing double-quote.) If, however, you see something like this:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem! Note that a Windows IRC client program running in the PC will generate
false-positive reports since these are tests for IRC client programs. So be
sure to completely exit from any known IRC client programs BEFORE performing
the tests above.
|