KnujOn

KnujOn (nûj-ôn)

How to Detect and Remove Cracker/Hacker Programs from your PC

What are back door programs?
How can I check my PC right now?
Backup Software
Removal Programs

Back Orifice and NetBus

There are two major hacking programs in use now: NetBus and Back Orafice(BO). These programs do have a legitimate use in network security and analysis, but they can easily be used to snoop your PC at work or at home through your Internet connection. These programs can be disguised as harmless programs. These are often those goofy programs or screen savers people send through e-mail. When you click on the executable file in the email and watch the pretty fish swim across your screen, you have unwittingly let a "Trojian Horse" program onto your system. These programs a burried deep in the system files, often hidden from detection or cloaked at as a harmless file. When you log onto Internet, these programs force TCP ports open and allow virtually anyone with BO or NetBus administrator programs to detect your PC and access your files.

I was lucky enough to have a co-worker infect my PC with one of these programs so I could try to find it and disable it. Detecting these programs is fairly easy, removing them is more difficult, but not impossible! I had the advantage of knowing that this program was somewhere on my PC at the time. I have since written some batch files that help detect these programs and placed them in my Start-up folder so they will search for them everytime I log on.

Detection

Check your PC right now!
Open a command prompt.
Type: NETSTAT -A and hit < ENTER >
If there is any activity on port 31337, you have Back Orafice installed.
If there is any activity on port 12345, you have NetBus installed.*
*These are the default ports for these programs, they can be configured for other ports!
If either of these ports(or any other suspicious ports) are active, Telnet to yourself (localhost) at that port number. If you connect or a password window opens, you've been infected.

Copy and paste this into Notpad and save it as "hack_check.bat"

@ECHO OFF
ECHO This batch file checks for hacker programs loaded on your PC.
ECHO First it will give you list of active TCP/IP and UDP ports.
ECHO If port 31337 is active you have Back Orafice loaded.
ECHO If port 12345 is active you have NetBus loaded.
pause
CLS
ECHO Looking for NetBus TCP port
ECHO If infected, you will see a port listing for 12345
netstat -a | find "12345"
pause
CLS
ECHO Looking for Back Orifice TCP port
ECHO If infected, you will see a port listing for 31337
netstat -a | find "31337"
pause
CLS
ECHO looking for the Back Orifice Executable
ECHO If infected the file will be found
DIR "C:\WINDOWS\SYSTEM\EXE~1"
pause
CLS
ECHO Looking for changes in the registry key
ECHO This will create a file called "BOCHECK.TXT"
ECHO Open the file and look for suspicious line like @="EXE~1"
REGEDIT /E .\BOCHECK.TXT HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
pause
CLS
ECHO Looking for changes in the registry key
ECHO This will create a file called "NBCHECK.TXT" if NetBus is loaded
ECHO no file will be made if not.
REGEDIT /E .\NBCHECK.TXT HKEY_CURRENT_USER\Patch\Settings\ServerPwd
CLS
@ECHO ON
EXIT



Backup Software

A less stealthy program, but never-the-less useful in hacking are backup programs like ARCserve. ARCserve is supposed to be used to back up PCs over a network, but can easily be used as a backdoor program. The problem is that this program looks like a lot of other junk that comes with your computer. You might not notice it because it is "backup" software. ARCserve can copy all the files in your hard disk in less than 15 minutes and is almost invisible when it is running. If it has been loaded on your system, it will show up in the Start Menu. Use the ARCserve uninstall or Windows remove program to get rid of it. If you have the ARCserve agent loaded on your PC for other reasons, be warned that anyone with the ARCserve manager software can do an "Auto-detect" and find your PC if it has an agent. The agent may be disabled when not in use.


Links that will help with Backdoor/Trojan detection and removal

WebAttack Internet Tools
Virus Contol and Anit-Hacking
Netbus trojan virus(Proland Software)
NetBus and NetBuster
How to remove BO by hand


Privacy Policy and Mission Statement