September 29th, 2002 05:04 PM
What are the symptoms of a hi-jacked system. With other words how do I know that a system is hijacked?
September 29th, 2002 05:16 PM
Well, usually hijacking, to my understanding, usually refers to a remote session like a telnet or SSH or something like that being hijacked.
Unless you are thinking of a trojan.
Look for unusual processes (ones that you haven't seen running before) and any ports open. Additionally, if the system starts doing stuff (like open CDrom, power off) when you did tell it to is another big hint.
September 29th, 2002 05:32 PM
The term of hi-jacking can refer to a lot of different attacks.
But it is very difficult to detect it, you can search some incoherences to your traffic messages: TCP packets with bad numbers, arp and mac spoofing...
The hi-jack by itself can't, by definition, be detected. You can only detect some ways an intruder use to monitor and attack your connection.
Life is boring. Play NetHack... --more--
September 29th, 2002 08:38 PM
Hey if your haveing problems or you are worried about intruders and potentially deadly code that can take over systems then you need to check for funny activities in your ports, get a firewall, & get anti-virus that can remove trojans.
September 30th, 2002 02:58 AM
And run arpwatch, man-in-the-middle attacks are scary stuff.
\"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
October 2nd, 2002 11:57 PM
Thx for your suggestions, I'm a novice in the security game and would like to get deeper into the matter. So I'm looking to learn more things, for example what are weird tcp packets? Another example is DDOS-attacks, are there symptoms that you can find of a preparation of an attack. Another question that come to mind is in a DOS-attack is the attacker using trojans that can be detected or is he using another method. I hope that I'm not asking the wrong questions. Please bear with me. Thx for all your replies.
October 3rd, 2002 12:15 AM
your computer would do severly strange ****, deleted files, crashing, unknown rebooting, anti virus acting weird, firewall crashing, all it really shouldnt
October 3rd, 2002 05:24 AM
Well, yes and no. A DDoS attack is more likely to use the method that you mentioned. What a DDOS, or Distributed Denial of Service attack, is an attack from multipule systems that have been compromised, to obey the commands of the person or Worm that was placed there. In the case we'll keep it simple and say they are doing a ICMP flood. To put that simply its like the worm or hacker is telling the computer to do ping -l 65000 -t 255.255.255.255.(just an example).Well, with a few hundred systems running this command with all the same target IPit would cause your system to 'crash', cause packet loss, and inturn causing packet loss to everything behind it. Router, Switch, SUBNETS.
Originally posted here by MrEsco
Another question that come to mind is in a DOS-attack is the attacker using trojans that can be detected or is he using another method.
Hope this helps you understand.
It is better to be HATED for who you are, than LOVED for who you are NOT.
THC/IP Version 4.2
October 3rd, 2002 08:50 PM
Yeah, man-in-the-middle attacks are definitely nasty. I was reading about an attack where someone placed some sort of web proxy between a client machine and the actual webserver it was trying to contact, and the client requests were able to be viewed and edited before being forwarded to the ultimate destination. Nasty stuff!
Opinions are like
holes - everybody\'s got\'em.
October 3rd, 2002 10:53 PM
A DoS attack on a linux system can usually be detected by doing a ps aux. You will see a lot of connections from the same IP address or you will see a certain port with a lot of traffic. Its tough to defend against but once you have determined you are under attack you can defend yourself by dropping the IP in the host.deny and using IP chains and IP tables. Once that is taken care of you can call your upstream ISP to have them filter it out.