Since VI's latest "Hacked" policy, it might be a good idea to check yer machines. The entire article is rather interesting, but I just posted the way to tell if you're in trouble.

For the complete article:

grc.com/dos/grcdos.htm

Quote:
A Quick & Easy Check for IRC Zombie/Bots

If you have managed to read all the way through this lengthy and detailed adventure, I am sure you will agree that you do NOT want any of these nasty Zombies or their relatives running around loose inside your PC. Fortunately, it's quite easy to verify that your system is not currently infected by one of these IRC Zombie/Bots.

All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:

TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED

. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:

TCP 0.0.0.0:113 0.0.0.0:0 LISTENING

. . . then it's probably time to pull the plug on your cable-modem!

Note that a Windows IRC client program running in the PC will generate false-positive reports since these are tests for IRC client programs. So be sure to completely exit from any known IRC client programs BEFORE performing the tests above.


Sleethr Dragynthorn - 53rd Dark Elf Mage
Verser - 49th .5 Elf Bard
Medec Kalleave - 40th Dwarven Battle Cleric of the Baby Rezz
Vowk - 27th Wood Elf Dr00d

Division 13 of Bertoxxolus: http://home.earthlink.net/~rwn7734/div13

You can also look for mirc32.exe running in the background.

Just noticed another article on the topic. The Sub7 IRC worm is nasty for EQ'ers due to the keystroke logging that it does. That and the fact that hackers use your PC to DDoS ( Distributed Denial of Service ) attack other websites.

dailynews.yahoo.com/h/zd/20010625/tc/feds_warn_of_new_worm_threat_1.html Sleethr Dragynthorn - 53rd Dark Elf Mage
Verser - 49th .5 Elf Bard
Medec Kalleave - 40th Dwarven Battle Cleric of the Baby Rezz
Vowk - 27th Wood Elf Dr00d

Division 13 of Bertoxxolus: http://home.earthlink.net/~rwn7734/div13

windows is about as secure as a chain link fence trying to keep in/out ants

If you do not wildly accept and execute .exe files from all over the infested world, there is not much chance for you to pick up a trojan, virus and/or worm. Similar to level of your promiscuity in correlation to AIDS. (if you take intravenous drugs, then you don't know whats going on anyhows..)

It might change now that I use Outlook for mail system, though... MS has in their wisdom allowed all of their applications a backdoor of programmatic meddling, probably to 'create' a market for MS-authorized-brand of viral checkers... Edited by: Karlek at: 6/27/01 8:12:13 am

since the patch from 27/6 i cannot connect anymore and i suspect i was hacked. I am really not familiar with computer operation and would appreciate your help zith detailed description of the step i should take in order to verify if i was hacked or not

Felyndira DE rogue '" on Bertoxx, hopefully not hacked

Quote: appreciate your help zith detailed description of the step i should take in order to verify if i was hacked or notWell, start with a detailed description of exactly why you can not connect anymore, and your system hardware and software specs.

A firewall will alert you if any 'bot is attempting to access the internet, if you have it properly configured. I use one and it's amazing how often an outside site attempts to access my connection. My firewall shuts them down fast.
Properly configured, this will also prevent any 'bot from accessing as well, by warning you before it attempts to access the internet (like a 'bot using IRC software clients would).
What? No firewall? Go here:
http://www.zonelabs.com/

Download the FREE (synonymous with no cost to you) firewall software. I haven't had a single problem with it, and recommend it.
Who am I? Just some guy, nothing special. I just advocate protecting your system and account information with a firewall, and this one is free and works very well. It looks like it would work in this situation too. Spidor (Redeemed)

I got the zonelabs product and have been using it for about 8 months now.. simply put.. its AWESOME.
Eterno, 45Rogue and Officer of The Legion of ValorLarodor, 22 Paladin of MarrCoyoteblack, 9 Wood Elf Casanova DruidMithos,5WizzardAriakhan,10Dark Elf ShadowknightLegion of Valor, Bristlebane, Norrath

So if I attacked you with something renamed "iexplore.exe" what would the Zonelabs wall do? (I'm not going to, but this is a common weakness, and the primary reason I don't use -software- firewalls.)

Don't use software firewalls? Those are the only ones of heard of up untill now and if there are hardware firewalls I have a fealing they are going to be expensive as all hell.

-----
So if I attacked you with something renamed "iexplore.exe" what would the Zonelabs wall do? (I'm not going to, but this is a common weakness, and the primary reason I don't use -software- firewalls.)
-----

Then it will ask you if you want to allow the new program to access the Internet. It looks at the checksum, and if it doesn't match up to the old program with that name, it's considered new, and thus you have to allow it yourself the first time it wants to access the Internet.

It IS a damn good firewall Zeel Zanar

I don't run a software firewall anymore with my D-link firewall. At first when I got it I did run Black ice or ZA behind and not once I got an alert from them. It is Hardware and is a sold state memory firewall, Linksys also makes one just like this they both cost about 100 bucks but I have never had anyone able to get in yet. Also I was port scanned about 70-100 times a day :) yea for network security!
Garor Immrama
Turn not thy face from the light of the sun, lest ye feel the burning of thy very souls

If you think you were or are currently being hacked - then visit this link to ensure your account cannot be accessed by the hacker after he/she logs out - if you have to use this link then make sure you run a complete updated virus scan before you log back in otherwise you run the risk of giving the hacker your pwd all over again... And make sure you can still access the original email account you used when you started playing EQ.

www.station.sony.com/serv...t=password