• Xpost of Jack Troughton Part#3

    From Mike Luther@1:117/3001 to All on Mon Jun 4 19:18:00 2001
    Croos post of Jack Troughton Part #3:

    As you can see, I've got lots of ports open. The nice thing is that it tells you what each port is for. In the list of programs above,weasel is the mail server I'm using, and is responsible for the smtp and pop3 ports... smtp is for
    sending mail, and pop3 is for retrieving mail. As you can see I'm writing this to you in a telnet session, running cmd, which is running slrn, which is running vim as the editor, which is calling cmd to run go, listing the programs
    running. Changi is my news server, which is running on the nntp port. I am (of course) running a syslog daemon; if something goes south I want a record of where and why it did. Finally, I have a web server and an ftp server running.

    Those are the listen ports. You can see that at the time that I ran netstat, there was a connection on the smtp port from 208.50.99.225. If I look that machine up:

    nslookup 208.50.99.225

    Server: vl-ms-dn004-fae1.ms.videotron.ca
    Address: 24.200.243.242

    Name: c3.egroups.com
    Address: 208.50.99.225

    you can see that it's one of the mail servers at egroups, probably sending me Yet Another Email from the eCS mail list.

    You can also see my news server 'talking to itself' on the loopback interface (127.0.0.1); probably chanx has just run to get the news feed from videotron, scitech, IBM, ecomstation.nl, or mozilla.org,and rnews is feeding the data fetched to my news server over the loopback interface to be injected into the news base. This is something I've scripted to happen every half an hour, so that I've always got the freshest news at jakesplace.dhs.org:).

    So, the kind of thing you're looking for are connections to weird ports on machines you don't know. One note: since we're on OS/2, the likelihood of any of us having a trojan is _extremely_ low... so if you're looking at this stuff for the first time and don't recognise things right away, don't freak out:). A good idea is to run common network programs like netscape, pronews, pmmail, and
    so on, and while they are doing network activity, run 'netstat -s' so you can get an idea of what the sockets they create look like to the system.

    The thing to do is just to poke around until you _know_ what's running on your system. Fortunately, the internals of OS/2 are pretty easy to understand; you have programs, they do things, and getting information about what programs you have on the go on your system is pretty easy to get, especially with the great stuff available on Hobbes and LEO and so on. Once you get to a certain level of
    familiarity of what's happening on your computer, the likelihood of being hit with anything like a trojan shrink to almost nothing, and the likelihood that it would go unnoticed for long will be even smaller.

    Is that the sort of thing you were looking for, Chris?

    --
    ----------------------------------------------------------
    * Jack Troughton jake at jakesplace.dhs.org *
    * http://jakesplace.dhs.org ftp://jakesplace.dhs.org *
    * Montreal PQ Canada news://jakesplace.dhs.org * ----------------------------------------------------------

    Brought to you in the interest of seeing OS/2 BBS'ing in perhaps a little different light . . .

    I learned a *LOT* from this article. I actually learned a lot more than just about what processes might be used for evil. As well as this I *FINALLY* got help working in VA C++, VA Java and DB2 V7., plus now know some other things to
    watch for in the cable modem world.

    It is particulary important, in my opinion, that a BBS operator who is going to
    create an Internet presence, which is so easy to do courtesy of Ray Gwinn's wonderful SIO, ought to think about the above ..

    Please do not shoot the messenger ..

    Mike @ 1:117/3001



    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)