Results 1 to 4 of 4

Thread: BotNet says ISP. What Now?

  1. #1
    nonab Guest

    Default BotNet says ISP. What Now?

    Hi: My Insight Cable service stopped my internet access because they say my account was used to send 64,000 Spams. They say I have a BotNet. My ZoneAlarm firewall and AntiVirus/SpyWare did not alert me to a problem. My scan today, on desktop and laptop, did not report a problem. They (cable people) questioned my wireless router, but it is password protected on both ends. They say it's still possible, and that it's entirely possible the firewall and antivirus won't detect a problem, because it may be in my registry. They say I need to take the computer(s) to a repair facility or reformat/reinstall. They say to change all my passwords. I assume they mean I should do that *after* killing the botnet. They restored my service, but I'm using Earthlink dial-up, hopefully to stall an attack. The odd thing is, that before they restored my service, I rebooted and unplugged modem and router, and rebooted some more, and the dial-up didn't work... Very odd, because it's a different service and vendor in this case.
    I don't do Facebook or MySpace or any other "social networking" business, I don't click on suspicious e-mails, in general I practice "safe-surfing." Is there no tool I can use to identify and remove the botnet? Can I figure out how long it's been active? That would save me hours of work. Otherwise, I'll reformat/reinstall.
    All my sensitive information is in encrypted files. They say that's not good enough. I assume because my keystrokes have been monitored for a period of time - is that correct?
    Thanks very much!

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    8,974

    Default Re: BotNet says ISP. What Now?


    <blockquote><hr>NonaB wrote:
    Hi: My Insight Cable service stopped my internet access because they say my account was used to send 64,000 Spams. They say I have a BotNet. My ZoneAlarm firewall and AntiVirus/SpyWare did not alert me to a problem. My scan today, on desktop and laptop, did not report a problem. They (cable people) questioned my wireless router, but it is password protected on both ends. They say it's still possible, and that it's entirely possible the firewall and antivirus won't detect a problem, because it may be in my registry. They say I need to take the computer(s) to a repair facility or reformat/reinstall. They say to change all my passwords. I assume they mean I should do that *after* killing the botnet. They restored my service, but I'm using Earthlink dial-up, hopefully to stall an attack. The odd thing is, that before they restored my service, I rebooted and unplugged modem and router, and rebooted some more, and the dial-up didn't work... Very odd, because it's a different service and vendor in this case.
    I don't do Facebook or MySpace or any other "social networking" business, I don't click on suspicious e-mails, in general I practice "safe-surfing." Is there no tool I can use to identify and remove the botnet? Can I figure out how long it's been active? That would save me hours of work. Otherwise, I'll reformat/reinstall.
    All my sensitive information is in encrypted files. They say that's not good enough. I assume because my keystrokes have been monitored for a period of time - is that correct?
    Thanks very much!

    Operating System:
    Windows XP Pro
    Software Version:
    7.0
    Product Name:
    ZoneAlarm Internet Security Suite

    <hr></blockquote>
    Some providers are slack and never pursue their own server logs for their cutomer's networks - in other words, your IP could be borrowed by some one else and the blame lies on your shoulders. It does happen, but providers seldom or never admit to this happening. It really depends on how deep they are willing to trace their own logs or check their own security.
    I have seen this myself - my provider accused me of spamming. Impossible I replied. I have no email ports allowed and these are all blocked off (I mean every email port, both source and destination email ports). I demanded they check their own logs further and stop making false claims. I insisted I never use their email server using an email client. I just use web mail. The following reply I got from the provider just said my spamming has stopped and the services will continue. No mention of any mistakes on their own part. I have only a wired connection with tow routers and the modem and no wireless anywhere used- no possible leak anywhere.
    The upshot is my provider never would admit they made a mistake or apologize. Just a simple spamming has stopped so it's okay now.

    Well are you using the dialup or the earthlink with the wireless?
    Just password protecting the router login is not enough to secure it.

    Put a Unique SSID (I.e. the name of your Wireless Network should not be WLAN or any other default setting).).

    Make sure the PC is MAC'd in the router.
    This will only allow your hardware to connect to the system.
    MAC filtering is a good deterrent against casual intruders.

    Use the encryption or the WPA. If using WEP, then change the WEP key every month or so.

    Disable Auto Broadcast.
    Most Wireless Access Points Broadcast their existence by default, your can disable this feature.


    Disable the UPnP.
    This can be a vulnerability.

    Disable the Reply to Pings. This will help increase security and reduce unwanted connection attempts.

    Make sure the SPI is enabled and also the NAT.
    Also see the router's vendor's website for a possible upgrade of the router's firmware.

    Go here for the online antivirus scanners and do couple of those and maybe a couple of the online spyware scanners:

    http://spywarewarrior.com/sww-help.htm

    this will determine if the PC is clean or infected.

    Both the ZA OSFirewall and the full time scanner of the antivirus will detect and stop keyloggers. So maybe there is less to be worried about than before.

    Best regards.
    Oldsod.
    Best regards.
    oldsod

  3. #3
    nonab Guest

    Default Re: BotNet says ISP. What Now?

    I'm very glad to see that you've questioned the veracity of my ISP. I'm questioning them also. It occurred to me that Dell could help. After all, I paid for support and I never use it, and it's a new-ish computer, and I paid extra for American support, so why the heck not?? The guy was very nice, he remotely cruised all over my registry, and looked up unknown processes, and found nothing. Then he perused currently-running processes and applications, and found nothing.
    He installed a [smart sniff] utility and watched internet packets go in and out and found nothing. He opened up Outlook, looked at outgoing mail, incoming mail, looked for add-in programs, and found nothing. Then he watched while I logged into webmail at said ISP, which I had never used before (in fact I rarely use their e-mail services, only their access), and he
    found no outgoing messages, no new e-mail accounts, and no evidence whatever of said &quot;Spam.&quot; Zero, zilch, nada. He said he thinks the ISP was wrong.
    So now what? Now I'm a little hacked at said ISP, but not nearly as hacked had I actually started reformatting and
    reinstalling, or (gasp) taken a computer to a repair outlet. They've still wasted several of my hours and at least a
    few brain cells. So next time, hopefully not, but next time, I'm tempted to say, &quot;Oh yeah? Prove it!&quot; and expect them to research their claim further. That's the least they
    can do after this goose chase.
    I don't expect my wireless router to be a problem, but I will work through your suggestions just the same. Half the time a good signal won't even reach the den (uber-thick walls). I live in a sleepy old neighborhood, and only one of my neighbors is geeky enough to have the where-with-all, but wouldn't (he's a good guy, and I dog-sit for them besides). There are some teenagers down the street a ways...
    I've just gone through your suggestions for
    wireless router settings. (I use it with the cable modem). The only thing I had to change was to disallow broadcasts, although I
    couldn't figure out what &quot;NAT&quot; was (after SPI). My firmware is up-to-date.
    I was very thankful to learn from you that ZA would detect a key-logger.
    Thanks very much for helping me put my mind at ease. I will run the tech-support guy's [smart sniff] utility for a while, and see if there are errant boatloads of packets. Otherwise, I will be thankful I'm not shoving disk after disk into the computer and playing with all those settings that take days to get &quot;right&quot; after a reinstall. Thank you! Thank you very much, Sir Oldsod {smooch}.
    --NonaB

  4. #4
    Join Date
    Dec 2005
    Posts
    8,974

    Default Re: BotNet says ISP. What Now?

    When I replied to my provider's very demanding email, I did mention I had several forms of internet traffic logs which can be sent for reading at their own leisure.
    I mentioned in my email both the ZA firewall logs (found in the Windows\Internet Logs folder) and the router logs.
    Router traffic logs, because the router is not part of the PC and are a seperate entity all by themselves, have a lot of weight.
    If the PC was actually hacked in any way, the router will see and log regardlessly all network traffic. Even if it was not logged on the PC.
    Sort of infallible proof of traffic.
    Most routers have a feature to email the logs or send the logs to the PC on a regular basis (usually weekly or daily).
    This way you have a complete record on hand at any time.
    Good weapons to keep in your hand.
    I use two routers, so I could even remit two sets of the router logs
    I also use a seperate IP blocker which logs all allowed and blocked traffic on the PC
    I could have remitted four seperate traffic logs if needed.

    The DELL service seems very complete! Very impressive. Well worth the money spent for the added support. A packet sniifer is one of most authoritive proof of all known and unknown traffic. I hope you have a copy of complete report from the DELL support to send to your provider.
    I am so glad you don't have to reformat and reinstall or take it to a shop (and pay out a lot of good money for no valid reason).

    I suspect the server/PC users complained to the abuse at your provider about the spam and your provider just looks at the IP in question and promptly fired off an email or notice. Without checking their own logs or doing any research where the packets originally came from and check the last few servers involved where the spoofed packets originated.
    They can easily block off rogue internet IPs and servers that are involved with such criminal activity, but I think the first standard procedure the provider takes is to accuse the IP (customer) of their own network.
    Usually if the spammer is good, they can't be completely traced or they can be traced and yet not criminally charged or pursued . The trace often reaches a dead end- plenty of rouge providers and internet servers in this world.
    At ten cents U.S. for each spam sent and at 64,000 emails, the crook made some good money (6,400$) for the week. No doubt you were not the only victim that week.

    NAT is network address translation and it probably is enabled. If the PC receives a private address from the router and does not use a public address, then the NAT is already enabled.

    You are very welcome!
    Nice to see you are more at ease and have taken action!

    Best regards.
    Oldsod.

    Message Edited by Oldsod on 04-15-2008 09:56 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •