how do you know if you have been hacked?

[Ennis]

Originally posted here by TidaLphasE23
Thank's for the negg's mark_boyle2002, just goes to show the the maturity that
"some" senior's like yourself greatly lack. kativan made his first post with a simple
question that could have been answered easily by any curtious person that could
help. Instead you were a smartypants. Why? Do you get off on showing you are
smarter than a newbie? Maybe you should think back when you were less than
knowledgable in this field and be more helpfull.

p.s. I think that i can speak fine english thank's, so with an attitude like your's toward
new member's maybe you should do an anger managment course and start hugging some
tree's. cheerio.

Tidal I'll give you some greens but I recently did so I have to spread them around. The fact that anyone would get negged for a post like this is incredible. Im going to start collecting posts like this then post a huge link of idiotic threads that will show how bad AO has gone.

I didnt get negged for this post which is odd.

[jadetiger]

Not to thread jack, but why do you have to spread them around, its like a "politicly correct" thing to do, when points should be used to indicate the worthiness of a topic, or a reply.

[Maverick811]

Originally posted here by jadetiger
Not to thread jack, but why do you have to spread them around, its like a "politicly correct" thing to do, when points should be used to indicate the worthiness of a topic, or a reply.

The system won't let a user give points to another user without first giving points to a number of other users.. Hence, 'spreading' your points around..

[steve.milner]

Once again another thread has degenerated into antipoint wars, people bitching about antipoints etc. etc.



So to try and get a reply from the poster, before they run away in a panic wondering WTF is going on round here with flame wars and antipoint madness...

Kativan, has any of this been of any use to you at all?

Please let us know.

[cutty]

This confirms how bad AO has become. I never thought this community would have come this way so far but it did.

Guys can't we just go back to how things use to be? How hard is it to just give someone direction without all the flack? How hard is it to ask someone a question before jumping to conclusions? We can all do this if we try and make this place the way it use to be. I would love that, wouldn't you?

Guidance...

[kativan]

ok, if they did manage to hack my computer, what exactly could they get from my computer? I went and looked at the event log and they have been doing this over 1800 times in the last 2 days.

kativan

[Grinler]

Originally posted here by kativan
ok, if they did manage to hack my computer, what exactly could they get from my computer? I went and looked at the event log and they have been doing this over 1800 times in the last 2 days.

kativan

They could get alot of things. For example They could run a program to get cached passwords on your machine, they can scan through documents where you may have sensitive info such as credit cards or passwords. Most likely though, they would do 1 or more of these three things. Setup a ftp server, irc client, or use your box to scan other networks for insecure servers.

While some of the comments above tell you what exploit was probably used, rpc, and what can be done in the future to protect yourself, personal firewalls, you still have not been told how to detect if something was put on your machine.

Most remote hacks involve leaving a program behind that would allow them to get back into your box in the future. Therefore, they will run a program that will start when you boot up your computer and listen on some port for connections. Then the hacker can get into your computer whenever he wants.

I am making the assumption that your box is a windows based computer. There are a few great programs out there that make it very easy to find running programs.

First one is fport which can be found at :
Foundstone

Download fport. THis is a command line program that will listen all programs that are listening on tcp/udp ports on your computer. You can then determine if something doesnt look quite right.

Another program is tcpview which can be found at:
Sysinternals

Download TCPview. This is a similar program as the above fport, but I have found that it actually sometimes finds programs that fport does not.

You can also download Process Explorer from the above site. This will list the various processes on your machine and the other processes that they spawn.

When using these tools you can find those programs that are running on ports that dont look right, or post them on here for people to see what they think.

Another place to look for programs that are added to your system is the registry. Though i dont advise you really delete anything from there unless you know what your doing a very popular key for people to put programs that run on startup is :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

That is one of the keys that lists the programs that will start when you boot your computer.
You should also check the machines services to see if there is anything there out of place.

One of the hardest trojans/hacks to detect is if they put a root kit on your box. These programs make it very hard to detect as they actually hide services, files, directory, and processes from being seen. One of the best ways to detect and see these hidden objects is to connect to your box from another machine. When you do that, you will then be able to see the hidden files/directories.

Hope this helps.

Grinler

[nihil]

Hey Kativan...chill out huh? Most probably there was no real harm done, or your machine would not work?

You must change all your passwords, and do NOT let your system rememember them for you...write them down and put them in a safe place, preferably locked. If someone breaks,or picks that lock...they are now in serious crime territory?...most would not have the courage. I guess you also have to assume that any personal data on your system is compromised, so theft of identity is a posssibility?

They may have loaded a whole raft of remote access stuff on your machine.............they failed their swimming lessons in the human genetic pool, so this is their way of compensating....

I would suggest that you find the PC-cillin website and run their "housedoctor" online malware detection program. Also get SpyBot Search & Destroy (you will have to find this as I do not have the link at the moment..just moved house..this is a old PII I am using!!!!) Update the detection file, then run that.

I have put a pair of items in tutorials under "countermeasures"....or something, including that...try some of the links...they may help?


Good Luck...Be Safe...Stay Safe

Johnno

[kativan]

Is there any way to find out who did this?

[jadetiger]

It depends on what you have on that machine, do you have something other than the event log that would record traffic/connections to your machine? If not you should install something like the win32 port of Snort (http://www.snort.org/dl/binaries/win32/), I don't know if you can use MySQL and ACID like on Linux, but Snort records attacks into the MySQL database, and you use ACID to view what those attacks were. I also have awstats (http://awstats.sourceforge.net) interprets my Apache log files, where I can see some of the maclious url for exploits coming to my webserver. On my XP Pro boxes I have PC-cillin, which logs attacks like that and has the fire wall. Of course so does my home router. If you have all the registration numbers and CD's for your installed software, reinstall the OS, patch, reinstall application software and then harden your system. Then you will know you are safe.