Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- John Hyde
December 24, 2005, 8:58 am
rate this thread
c:\windows\nc.exe) as a "Critical Object". In looking it up, i find
that it is a powerful tool, but not malware per se. Is there a reason I
should have this on my system? Is it really a risk? any thoughts
If you can't beat your computer at chess, try kickboxing.
If you did not put nc there, your concern should be how did it get
there?! It's commonly something an attacker will get on your
machine one way or another. It has a variety of uses.
One of the more popular is that it can be used to trivially leave a
port listening on a shell on your system (nc -l -p XXXX -t -e cmd.exe)
such that someone can nc your.ip.address XXXX (where XXXX is a port
number of the attacker's choosing) and voila, your windows command
shell is available on the attacker's machine. Files can be moved
around with netcat, and other such stuff.
In your position, I'd be looking hard for other signs of intrusion, or
being safe and reinstalling the OS from original media.
You say you run Win XP Home, do you have Service Pack 2 installed? If
so, the windows firewall will block netcat.
However, the firewall is rather simple. Even though under "Exceptions"
in the firewall configuration menu it would appear that the firewall
links the allowed application with the allowed port, it is not so. E.g.
"Remote Desktop" (which some may have as an exception) is not bound to
the rdp executables and libraries, only to tcp port 3389. So I can have
netcat listen on this port and spawn a shell when connected to (nc -l
-p 3389 -t -e C:\WINDOWS\SYSTEM32\CMD.EXE), even though windows
firewall says it has blocked nc.exe. (telnet <my computer> 3389, and
then I'm in).
My point here is that you should at least have the windows firewall
enabled as it will most often block listening unauthorized applications
(though I would recommend obtaining a third-party firewall
And as Todd wrote, finding "nc.exe" on your computer AND you have not
put it there yourself, is a good indication that your computer has been
compromized in some way. I wouldn't use that computer for sensitive
things (e.g. internet banking, credit card payment, company documents
etc..). If you're not interessted in finding out the entry points of
the attacker, you should reinstall Windows immediatly.
And remember to install a Windows with SP2 included on the cd,
otherwise you could find yourself compromized and infected with various
"snacks" before even Windows Update is finished patching you software.
Funny. Then throw Adaware away, it seems to be trash anyway.
The same reason as having a Swiss knife.
Yes. There is the risk, that you could do something useful with it ;-)
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
Dietz Pröpper in d.a.s.r
- » Need help with Zonealarm. Can't connect to internet
- — Next thread in » General Computer Security