On 29 Nov 98 at 15:16, Alan Bentley wrote:
> Hello...... Sorry for the lack of information. This is what I know bout
> his system.
>
> Windows 95
> An Internet server
> No network involved
> TCP/IP
An Internet server needs to be connected about 24 hours a day, 7
days a week, on a static IP address. This makes it an easy target.
Win95 is not a sufficiently secure platform for this without AT LEAST
the addition of a firewall.
> He has been posted by an unknown person several times while using
> ICQ. This happens in the message box that he is typing in. The
> intruder starts typing into the same window at the same time.
Even if he was on an intermittent connection with a dynamic IP
address, ICQ would blow his cover by announcing "I'm connected now,
at this IP"....
> He has a program that detects Back Orifice installed on his
> computer. This has alerted him several times and has given him the
> message that B.O. was detected and deleted. Yet the intruder
> persists.
Back Orifice is apparently pretty good at hiding itself; I've heard
reports that NO program yet achieves 100% detection and elimination
of it.
> He also has the box in ICQ checked that says "do not allow others
> to see my IP address".
NetBus, similar in concept to Back Orifice (but works on NT as well
as 9x...) comes with a "utility" to obtain such addresses from ICQ
even if the box is checked.
> Would be very interested in ways to track the intruder down.
First things first:
1. Install a firewall -- ISP may help with this. Configure it to
only allow the traffic you know you need.
2. Clean BO off the machine. This is a case where a reformat and
clean install may be the only way to be sure. Consider running NT
instead of 9x; NT makes it much easier to shut off stuff you don't
need.
3. Most firewalls will produce a log of blocked traffic, which will
probably include the IP address of someone out there trying to talk
to Back Orifice on this server. Or, more likely, of some other Win
9x server that they already have Back Orifice on and are using to
launch further attacks....
David G
PCSOFT maintains many useful files for download
on our web site - visit our download page at:
http://nospin.com/pc/files.html
|