How to detect botnet software on a computer?

R

Ridcally2015-08-28 17:36:10

DDoS Protection

Ridcally, 2015-08-28 17:36:10

I am a person far from a deep understanding of IT, so I read Habr out of interest, but I needed to make me turn to understanding people, because I don’t understand anything anymore.
So, the situation is as follows:
Provider:
A problem with the security of your home computer
has been detected. It is recommended to check the computer with anti-virus software to detect the damage of electronic devices.
If you ignore the problem, computer infection can be a potential security problem for your personal data. And also - to cause incorrect operation of the operating system as a whole.
Me:
What does that mean? There is no specific evidence that my computer is part of a botnet.
I have ESET Smart Security 8.0.312.3 Update 12151 2015-08-25 installed.
At the same time, since 21.08, all devices have been disabled, and purely physically they could not carry out any activity on the network.
Provider:
2015-08-25 12:50:00 requests to IP 188.209.54.12 (botnet control source server) were recorded from your IP address ***.
Me:
However, the router log does not show any other connections during this period:
Aug 21 22:09:19 rlx-linux daemon.warn dnrd[14582]: [14582] Received tcp message is too big to process
Aug 21 22:09:19 rlx-linux daemon.warn dnrd[14583]: [14583] Received tcp message is too big to process
Aug 21 22:09:20 rlx-linux daemon.warn dnrd[14584]: [14584] Received tcp message is too big to process
Aug 25 20:56:43 rlx-linux user.notice syslog: RT-N10E:ntp starts
Aug 25 22:56:43 rlx-linux user.notice syslog: RT-N10E:ntp client success
Aug 26 00:08:43 rlx-linux user.warn kernel: wlan0: A wireless client is associated - 1C:B0...
Aug 26 00:08:43 rlx-linux user.warn kernel: wlan0: WPA2-AES PSK authentication in progress...
Aug 26 00:08:43 rlx-linux user.warn kernel: wlan0: A wireless client is associated - 1C:B0...
Provider:
In rare cases, it happens that this is not an outgoing request, but an incoming one. Since the router is turned on, the management server could be trying to send a command.
Separately, I would like to note: it was noticed that on the old firmware of Asus routers, there is a vulnerability through which they often gain access to equipment. Considering that you, apparently, have remote access to the equipment, we recommend updating the firmware and not using the standard, 80th, port.
Me:
Damn, another viral activity report!
Provider:
At 2015-08-27 21:45:00 on ip address 154.35.175.201 there was activity, in the amount of 30 connections, from your ip address.
The antivirus again does not see anything, neither do I.
At the same time, for some reason, the router duplicates clients, I don’t know if this is related, but the clients have two connections from one native poppy but with two different assigned ip.
Help, good people, what to do, where to look?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CyberGrom, 2015-09-03
@CyberGrom

If all devices were turned off except for the router, and the external ip is registered on it, then the problem is logical in it. Perhaps, if the router is part of a botnet, it once in a while communicates with the control servers, and is given a task in response. Try to disconnect the WAN port of the router from the Internet and connect it to the computer, while temporarily registering the gate address of your provider on the computer. Run wireshark and just monitor the traffic from your ip registered on the router. There is a high probability of catching such appeals.
ps: Give details, what firmware is on the router, and which specific router. If it is not native firmware, then as an option it will roll back to the native latest version.