Discussion in 'Windows Desktop Systems' started by Saldrin, Jun 16, 2006.

  1. Saldrin

    Saldrin OSNN Junior Addict

    How can you tell if you have been or are part of a botnet?

    From what I have been reading, most botnets use IRC, so would a simple netstat with ports like 6667 being open lead me to believe I've been comprimised? Note: I haven't used IRC in years, so I have no reason to be using that port. Also, that port is not really open on my machine, just a hypothetical question.

    What other signs can a user look for, or be aware of, to protect themselves from botnets?

    Thanks in advance.
  2. Geffy

    Geffy Moderator Folding Team

    United Kingdom
    yep, just open up a command prompt and run 'netstat -a'

    if you see things connected to ports 6666 to 6669 or 7000 to 7002 then its likely that something is connected to an IRC server somewhere.

    also check your process listing for any programs you dont know the names of. then google the name of the process and see what comes up.
    Saldrin likes this.
  3. Saldrin

    Saldrin OSNN Junior Addict

    Cool, thank you. I used to use netstat all the time to check for trojans, now I'm pretty much converted to the network monitor within Kaspersky IS 6.0. They really made some nice updates!! It will tell you what process is using what open port; one of the things I could never strangle out of netstat.

    What picked my concern, is I was reading this article: and I started digging through some other blogs there, and one of the things that jumped out at me was when one person was checking into a botnet, the IRC server denied him accesses for spamming. Long story short, this happened to me many many years ago (probably the last time I did use IRC...), and I knocked it off as I got a bad selection of an IP from my ISP (DHCP) at the time. Wonder if I got spanked many years back....

    Thanks for the reply.