Window Forensics: Have I been hacked?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Window Forensics: Have I been hacked?

  1. #1

    Window Forensics: Have I been hacked?

    Window Forensics: Have I been hacked?

    When reviewing a lot of the posts I see that there are many topics that ask the same question. How do I go about seeing if I have been hacked?

    I am writing this Tutorial for these people. In this tutorial I will show you how to determine if your Windows NT, XP, or 2000 box is hacked and how you can go about cleaning up the files they may have left behind. This tutorial should show you how to detect most hacks, but there are other methods that will be much harder to detect and will require a greater degree of knowledge in detecting them. In my experience, though, most of the hacks that are done in mass, especially by the script kiddies will be detectable through these methods.

    Almost all the utilities that I will use in this Tutorial are freeware and downloadable. I have also included in the next section a list of these programs and their locations. Please note that this tutorial primarily focuses on Windows XP, 2000, and NT as some of these utilities do not work on the earlier versions of Windows. Some of the discussion in this tutorial may be advanced to some users. Please feel free to message or email me if you have some questions or suggestions.

    The utilities you will need for this Tutorial are as follows:

    Fport

    This is a console utility that is run from the command line. When you run it, it will list all open TCP/UDP ports on your system and the program that is using those ports.

    TCPView

    This is a similar program to Fport, but shows it in a graphical interface. Some people prefer this more.

    Process Explorer

    This program will list all open processes and delineate between the parent processes and the processes that are spawned by the parent. This is a very useful program.

    PSTools

    This is a collection of console command line tools that can list open processes, kill processes, as well as many other useful functions.

    NTFSDOS

    This is only necessary if you have NTFS Volumes. This program will allow you to create a boot disk that enables you to read any NTFS Volumes that you have on your computer. The only drawback to this program is that you need the commercial version to actually delete/write to these volumes, as the free version is Read Only. There are more advanced alternatives, which I will give below.

    Dos/Windows Boot Disk Ė
    http://www.startdisk.com/ or http://www.bootdisk.com/bootdisk.htm

    These sites enable you to create boot disks in which you will boot the computer.

    Filealyzer

    This tool adds a windows explorer shell extension to your right click on a file. When you use Filealyzer on that file you will be able to see a lot of information about the file. Information such as whether itís a packed exe (save that for another tutorial) or the version information. What I use it for is the hex dump and then the ability to list the strings found in the binary file. From the strings you can gain a lot of useful information as to what the program does or is.

    Dameware NT Utilities

    This program allows you to remotely administer a computer/group of computers. I was hesitant to put this on as it is not freeware, but it is such a great utility.


    Why would someone want to hack me?

    There are many reasons why someone would want to hack your computer. From my experience the most common reasons are as follows:

    1. Setup a FTP Server (Pubstros) to distribute copyrighted material.
    2. Setup an IRC client/bot that is used to DDOS other computers, flood IRC users, scan/hack other computers, and to distribute copyrighted material.
    3. Use your computer to scan other or hack into other computers. This gives them a degree of anonymity.

    How can I tell if I have been hacked?

    Almost every remote hack involves leaving a program behind that will allow them to get back into your computer regardless of whether or not you fix the security problem that let them into your computer in the first place. The only times a hacker does not leave something behind, is if they are hacking your computer for specific information or an item. Almost 99% of the time this is not the case.

    The programs that they leave behind are IRC clients that they can control from a channel on an IRC Server or a Backdoor/Trojan.

    Since these clients or Trojans must listen and wait for connections from the hacker, they must listen on a TCP or UDP port. With that in mind, the tools that I list above come into play. Using Fport or TCPView will allow you to see what TCP/UDP ports are open and listening on your computer and what program is using those ports.

    To see what programs are running and are listening on TCP/UDP ports you would use Fport or TCPView.

    For example, lets say a hacker uses the RPC/DCOM exploit that came out recently to get a command shell to your computer. They download and install SubSeven on your computer. As many installations of SubSeven use the default TCP Port 27374 it makes it very easy to spot this Trojan running on your computer.

    By running Fport you would see the following (Formatting is a little messed up here):

    FPort v2.0 - TCP/IP Process to Port Mapper
    Copyright 2000 by Foundstone, Inc.
    http://www.foundstone.com

    Pid Process Port Proto Path
    636 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
    4 System -> 139 TCP
    4 System -> 445 TCP
    660 svchost -> 27374 TCP C:\WINDOWS\System32\s.exe

    From looking at this output you can see that you have a program in the directory c:\windows\system32 called s.exe. Right off the bat, that file name looks suspicious let alone the port it is listening on.

    You would then go into task manager, kill the process, and then delete the file. You should look around some more and see if there are any other files that have the same creation date, as hackers generally leave more than 1 file behind.

    If you cannot kill the process via task manager, then you would want to check the services and see if the program is running as a service. If it is, stop the service, and then try to delete the file.

    You can also see if you can find out how the program is being started on boot up. I find this is generally in the registry for non-services. The key is:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    There are other registry entries, especially for services, that can load a program on startup. You can launch regedit and search for the filename and see what comes up.

    Other places to look for where programs can be launched at startup are:
    Autoexec.bat
    Winstart.bat
    Win.ini
    System.ini
    The Startup folder.

    What if Fport or TCPView says there is a program running but I cant find it!!!?!?

    Cleaning up a hack in this scenario is much harder as a Root Kit is generally hiding the Trojan/Backdoor. Root Kits are programs that allow you to hide registry entries, service entries, processes, directories or filenames. Though more common in Unix hacks, they are starting to become more prevalent in Windows based hacks as well.

    Donít worry though, there are still ways to detect these Root Kits and clean them up. Since these Root Kits are running as processes on the hacked machine, they only stop the hacked machine from seeing the registry entries, directories, files, processes or services. The Root Kit does not affect other machines looking at the files or drives.

    There are a few ways to connect to your machine or drives in order to see the files:

    One way is to just share your C: drive and connect to your machine from another computer. That remote computer can be another Windows Computer, or my favorite, using Linux and itís smbclient.

    When connected through another computer you can see all the files and directories that are normally hidden, sort by date, and see the files that should not be there.

    If you need to remove registry entries you can connect to the registry remotely from another computer using Dameware NT utilities, or use another program like it. Due to the fact that you are connecting to your computer from another computer, where the Root Kit is not affecting what you see, you will be able to see all hidden objects.

    If you do not have another computer at your disposal you should make a bootable disk and boot off that disk. You will then be unaffected by the Root Kit and be able to delete files at your whim.

    If your volumes are NTFS volumes, it can be a little harder. You can use a bootable CD that contains a linux distrubitions such as the following:

    http://trinityhome.org/trk/
    http://fire.dmzs.com/

    Both of these distributions offer NTFS support and forensic utilities. You can also use the NTFSDOS program that I reference above. That is a great program, but the functionality really increases when you have a licensed version of it. When you have the licensed version of it you are able to make a bootable floppy and all the NTFS drives are mounted and visible, but now you can also write to it instead of only being able to read from it.

    Other Hacks? And are they detectable?

    What I have covered so far are the more generic hacks that are used. They are the most common and can be detected with the methods above. This tutorial, though, can not cover all possible hacks and ways to detect them. I will give a brief summary on some other types of hacks, but will not go into removing these types of hacks, as they can be a tutorial unto themselves. A simple google search can provide that information.

    Alternate Data Streams: Alternate Data streams were introduced into NTFS volumes to support the Macintosh Hierarchical File System and are widely undocumented. With the use of Alternate Data Streams or ADS, a hacker can hide files, even executables, and make them almost invisible to the operating system and therefore yourself. There are tools out there such as LADS that will enable you to see ADS files, but they will not delete them. Luckily, even if a executable Internet application is hidden using ADS, fport will still detect them. They will show up as :somefilename or somefilename:somefilename2.

    Kernel and Device Driver hacks: An experienced hacker may have the knowledge to actually patch/intercept system drivers, device drivers, or system calls. This will enable them to issue commands to the OS as Ring0 or at a "Operating System Kernel Security Level". If hack like this occurs, usually the best situation is to backup your data and reinstall the OS. This is because if they have such access to the box, then you really can not be sure what else has been compromised.

    Conclusion

    Ultimately, the decision is yours to try to clean up the box and continue using it, or to reinstall the OS. In some situations you definitely clean up the hack and continue using the box, but in others the safest bet may be to do a reinstall. That must be a judgement call you make.

    I hope all of this helps and if you have any questions, please do not hesitate to ask/

    Grinler
    grinler@yahoo.com


    08-08-03: Tutorial updated to include more advanced hacks such as ADS and Ring0 Hacks.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Donít worry though, there are still ways to detect these Root Kits and clean them up.
    Nice tut, but what if I was an "Elite Hax0r" and hid my remote via file streaming? What would ya do then? Or what if I fed your box a hacked up version of netstat.exe?

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Well hacking up netstat should not make a difference here. The tools that I mentioned do not rely on the netstat program provided by Microsoft but instead call the GetTcpTable and associated functions in order to read directly off the computer TcpTable and UdpTable. You are in the right direction though. If an "Elite Hax0r" really wanted to screw with you they could replace the iphlpapi.dll file that is under c:\opsystemdir\system32 and that should hurt those programs.

    As for the file streaming, I am not sure what you are referring to. Are you saying what if the software was located on another box?

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    315
    Nice one thehorse13 but there will always be had to detect hacks. No tut would be able to cover all IMO. What do you think?

    Anway nice tut Grinler.

    Guidance...
    - The mind is too beautiful to waste...
    Cutty


  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yeah, I hear ya cutty. I was just havin fun with the lad.

    File streaming is where you hide a file behind another using posix support in NT via the cp command. Basically I can hide nc.exe as ddcs.dll or any other file I choose. Google will provide all the NFO you need.

    Yeah, I know you were not dealing with netstat but the point is that you cover very basic hacking techniques. I decided to run with that just for fun.

    PS
    If you get a "real" rootkit you'll never ever get detected because it will hook below the OS level making everything above useless in the forensic analysis. Take a look at www.rootkit.com. For n00bs, this is a BBS site so time to dust off hyperterminal if you want to get your hands on the goodies. I have tested this rootkit in my lab and it is quite scary. I think every serious network security professional should take a peek at this little nasty.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Banned
    Join Date
    Jul 2003
    Posts
    374
    Nice tut Grinler.

    I have recently downloaded Fport, TCPview, Process Explorer,
    registryProt, AAtools, and SamSpade, hell i will buy more boxes to get everything that
    there is. The problem for a newbee like myself is combining all of this info gathering stuff
    and making some sense of it all. Is there any easy reading,learning material that can
    make it more understandable for newcomers?

    For instance, i got a window from registryProt saying,

    An important entry has been ADDED to the registry !
    HKEY=HKEY_CLASSES_ROOT
    PATH=vbsfile\shell\open\command
    NAME=
    DATA =
    Allow this registry entry?
    (Yes to allow, No to delete)

    How would i know what to do in this situation?

    I suspect that i look like a fool, i should have known this is the kettle calling me for more
    caffeine.

    Any pointers in the right direction will be greatly appreciated,
    Thanks TidaL.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Network security is like anything else. Over time you will develop a "feel" for it. Personally I think it is two parts technical and one part art. Try not to spread yourself thin with tools. Find a tool that performs a specific task and become intimately (no, not like that ) familiar with it. In other words, it makes more sense to have one good NetBIOS scanner than fifty of them that you can't remember how to use. This will take time but as you go along, you'll suddenly see a nice rock solid library of tools develop for yourself.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    TheHorse13-

    Thanks for the info on ADS. Did not know about ADS and it was an interesting read learning about it. Just for your information, fport still shows the executable path even if the executable is hidden via ADS. I will update the tut to express this info as well as ways to overwrite the ADS file.

    Yeah i have been to rootkit.com before. As for the root kits, even if a root kit is installed I should still be able to detect any files hidden by it after I boot up from a boot disk of some sort. I know this can be done with Hacker Defender Rootkit and NT Rootkit.

    TidaLphasE23,

    You dont look like a fool at all. The key vbsfile\shell\open\command , is the key that associates a program with a file extension of .vbs. Basically if you click on a file that ends with a .vbs whatever the is listed in the command data will run that program.

    I am not familiar with registryProt, and I do not generally use registry change alerters, but what program did it say changed the registry?

    Grinler

  9. #9
    Banned
    Join Date
    Jul 2003
    Posts
    374
    G'day Grinler, Not really sure what program changed the registry. After
    posting i logged off to try and figure a few things out. I couldn't determine if i
    had disabled any vital entry's in the registry, as i had a number of these windows
    that i did not understand, denying some and allowing others. I decided that it i
    would just do a system restore and maybe leave this one out for now, until i do
    a bit (lot) more reading up on these and other programs.

    Could you suggest a method of learning the the basic principal of these file extensions
    and just a better place to start in understanding my o/s. I am running xp pro. And would
    appreciate any advice regarding this matter.

    Thanks again. TidaL.

  10. #10
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Horse13,
    Always run binaries from a source you know isnt corrupted(CD-ROM), how bout that? Ya do it for *nix you can do it for Winnie!

    -Maestr0

    PS. Rootkit is a kick ass site if you like ASM and kernel hacking, but there are ways to detect kernel level drivers as well, it is just much more difficult and yes its VERY scary.

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides