Under the supervision ... "or Vs Admin (LAN version)
What can Sis Admin do?
For example, to see a copy of your screen, completely take over the computer control, i.e. even turn off also to blah blah find out all the passwords you entered ... the latter is allowed to be done unnoticed by the user All this is done with the help of special programs for remote administration, for example: Remote Administrator (Radmin), etc., the Trojans also belong to the programs for remote management and everything written below so the blah applies to them . These programs work according to the "Client-server" principle. The client share of the program is set for the one who manages it, and the server is working imperceptibly for the person who manages it. Usually the server is registered in autoload also starts in conjunction with Windows. When loading, the server starts to "Listen" to a specific port, i.e. he is waiting for a connection on this port, but the one who has the client, in order to establish a connection with the "victim", enters the IP address also the port (the one that the server listens to) after which he clicks "Connect" ... In order to find out which ports are open, you can just look at all active connections, using for example Internet Maniac, in the menu "SNMP"> "Active connections", this is how the Remote Administrator server looks, which (by default) slows down connections on port 4899, you can change the settings in the settings: this " LISTENING "
You can use standard Windows utilities, in the "Programs" menu, run MS-Dos session also enter "netstat -a" without quotes;) The format of the output result is: " your computer name: port remote computer name: port connection status " you need to see all the established connections in numerical form, but not in the form of names, then type netstat -n.
If the customer has connected to the server (installed by me), it will look like this:
As you can see, a user with the IP address XXX.168.1.25 connected to my computer (the connection status is ESTABLISHED- the union is established)
Note : At the time of verification, all network programs should be closed: Internet explorer, ICQ, email programs ...
Determine the time of connection
If you want to know what time they will connect to you, the IP address is also the name of the computer on the network, use Attacker, it monitors the specified ports also when trying to connect it alienates to know For example, if, among the active connections, you can see that the application “Listens” to port 4899 (Radmin), then you need to take the Attacker prog plus add this port (in TCP) to monitor it, when you connect to it, the prog will notify you (connection it will not be installed in any way). On the skin you can see that at 13:51:17 from the IP address: XXX.168.1.177 there was an attempt to connect to port 4899, the name of the remote computer on the network: YURI.
If one of the users of the local network "climbed" to your hard drive, then among the connections will be on port 139 ( nbsession ). On the skin you can see that the user with the IP address XXX.168.1.25 connected to my computer through the network environment The Internet Maniac program instead of the port number can illustrate the name of the service assigned to this port, in this case it is nbsession- port 139.
Scan a remote computer
When some network services are running on the computer, they open ports, i.e. having scanned the ports on the remote computer, it is allowed to see which of them are open, the skin shows the result of scanning the computer on which the Radmin program server is installed (default port: 4899). Those. if during scanning you saw open port 80, it means that a web server is installed there, if 3218, 8080 or 80, then this is most likely a proxy server ...
How to determine whether the program is installed or not
If your ports are open (LISTEN or ESTABLISHED status), and no network programs are running at all, then it is possible that this is a server of the remote control program, try to watch all the running programs (CTRL-ALT-DELETE) if you do nothing found (often the programs are specially made so that they can not be seen), it is allowed to use any task manager that shows all running applications such as Process Wiewer, Task Meneger ... now it is allowed to unload any program, If the association was established, it will break I.
How to know passwords
In order to find out passwords, admins can use several methods, the easiest is also the most frequently encountered using Keyloggers, i.e. programs that record all keystrokes, the most famous of them is hookdump95, usually similar programs catch antiviruses, but who can stop writing your own?
PS: So far, I took screenshots of the article, the admin cleaned up my floppy disk, which at that time was in the floppy drive, but someone else’s semester was on it ... also who is he later than that ???