Hi-jacking

[MrEsco]

Hi,

What are the symptoms of a hi-jacked system. With other words how do I know that a system is hijacked?

MrEsco

[MrLinus]

Well, usually hijacking, to my understanding, usually refers to a remote session like a telnet or SSH or something like that being hijacked.

Unless you are thinking of a trojan.

Look for unusual processes (ones that you haven't seen running before) and any ports open. Additionally, if the system starts doing stuff (like open CDrom, power off) when you did tell it to is another big hint.

[KissCool]

The term of hi-jacking can refer to a lot of different attacks.
But it is very difficult to detect it, you can search some incoherences to your traffic messages: TCP packets with bad numbers, arp and mac spoofing...
The hi-jack by itself can't, by definition, be detected. You can only detect some ways an intruder use to monitor and attack your connection.

[|The|Specialist]

Hey if your haveing problems or you are worried about intruders and potentially deadly code that can take over systems then you need to check for funny activities in your ports, get a firewall, & get anti-virus that can remove trojans.

[doktorf00bar]

And run arpwatch, man-in-the-middle attacks are scary stuff.

[MrEsco]

Hi,

Thx for your suggestions, I'm a novice in the security game and would like to get deeper into the matter. So I'm looking to learn more things, for example what are weird tcp packets? Another example is DDOS-attacks, are there symptoms that you can find of a preparation of an attack. Another question that come to mind is in a DOS-attack is the attacker using trojans that can be detected or is he using another method. I hope that I'm not asking the wrong questions. Please bear with me. Thx for all your replies.

MrEsco

[preep]

your computer would do severly strange ****, deleted files, crashing, unknown rebooting, anti virus acting weird, firewall crashing, all it really shouldnt


Preep

[Dr Toker]

Originally posted here by MrEsco
Hi,

Another question that come to mind is in a DOS-attack is the attacker using trojans that can be detected or is he using another method.

MrEsco

Well, yes and no. A DDoS attack is more likely to use the method that you mentioned. What a DDOS, or Distributed Denial of Service attack, is an attack from multipule systems that have been compromised, to obey the commands of the person or Worm that was placed there. In the case we'll keep it simple and say they are doing a ICMP flood. To put that simply its like the worm or hacker is telling the computer to do ping -l 65000 -t 255.255.255.255.(just an example).Well, with a few hundred systems running this command with all the same target IPit would cause your system to 'crash', cause packet loss, and inturn causing packet loss to everything behind it. Router, Switch, SUBNETS.



Hope this helps you understand.

[t2k2]

Yeah, man-in-the-middle attacks are definitely nasty. I was reading about an attack where someone placed some sort of web proxy between a client machine and the actual webserver it was trying to contact, and the client requests were able to be viewed and edited before being forwarded to the ultimate destination. Nasty stuff!

[detoxsmurf]

A DoS attack on a linux system can usually be detected by doing a ps aux. You will see a lot of connections from the same IP address or you will see a certain port with a lot of traffic. Its tough to defend against but once you have determined you are under attack you can defend yourself by dropping the IP in the host.deny and using IP chains and IP tables. Once that is taken care of you can call your upstream ISP to have them filter it out.

Nathan