Window Forensics: Have I been hacked?

When reviewing a lot of the posts I see that there are many topics that ask the same question. How do I go about seeing if I have been hacked?

I am writing this Tutorial for these people. In this tutorial I will show you how to determine if your Windows NT, XP, or 2000 box is hacked and how you can go about cleaning up the files they may have left behind. This tutorial should show you how to detect most hacks, but there are other methods that will be much harder to detect and will require a greater degree of knowledge in detecting them. In my experience, though, most of the hacks that are done in mass, especially by the script kiddies will be detectable through these methods.

Almost all the utilities that I will use in this Tutorial are freeware and downloadable. I have also included in the next section a list of these programs and their locations. Please note that this tutorial primarily focuses on Windows XP, 2000, and NT as some of these utilities do not work on the earlier versions of Windows. Some of the discussion in this tutorial may be advanced to some users. Please feel free to message or email me if you have some questions or suggestions.

The utilities you will need for this Tutorial are as follows:

Fport

This is a console utility that is run from the command line. When you run it, it will list all open TCP/UDP ports on your system and the program that is using those ports.

TCPView

This is a similar program to Fport, but shows it in a graphical interface. Some people prefer this more.

Process Explorer

This program will list all open processes and delineate between the parent processes and the processes that are spawned by the parent. This is a very useful program.

PSTools

This is a collection of console command line tools that can list open processes, kill processes, as well as many other useful functions.

NTFSDOS

This is only necessary if you have NTFS Volumes. This program will allow you to create a boot disk that enables you to read any NTFS Volumes that you have on your computer. The only drawback to this program is that you need the commercial version to actually delete/write to these volumes, as the free version is Read Only. There are more advanced alternatives, which I will give below.

Dos/Windows Boot Disk –
http://www.startdisk.com/ or http://www.bootdisk.com/bootdisk.htm

These sites enable you to create boot disks in which you will boot the computer.

Filealyzer

This tool adds a windows explorer shell extension to your right click on a file. When you use Filealyzer on that file you will be able to see a lot of information about the file. Information such as whether it’s a packed exe (save that for another tutorial) or the version information. What I use it for is the hex dump and then the ability to list the strings found in the binary file. From the strings you can gain a lot of useful information as to what the program does or is.

Dameware NT Utilities

This program allows you to remotely administer a computer/group of computers. I was hesitant to put this on as it is not freeware, but it is such a great utility.


Why would someone want to hack me?

There are many reasons why someone would want to hack your computer. From my experience the most common reasons are as follows:

1. Setup a FTP Server (Pubstros) to distribute copyrighted material.
2. Setup an IRC client/bot that is used to DDOS other computers, flood IRC users, scan/hack other computers, and to distribute copyrighted material.
3. Use your computer to scan other or hack into other computers. This gives them a degree of anonymity.

How can I tell if I have been hacked?

Almost every remote hack involves leaving a program behind that will allow them to get back into your computer regardless of whether or not you fix the security problem that let them into your computer in the first place. The only times a hacker does not leave something behind, is if they are hacking your computer for specific information or an item. Almost 99% of the time this is not the case.

The programs that they leave behind are IRC clients that they can control from a channel on an IRC Server or a Backdoor/Trojan.

Since these clients or Trojans must listen and wait for connections from the hacker, they must listen on a TCP or UDP port. With that in mind, the tools that I list above come into play. Using Fport or TCPView will allow you to see what TCP/UDP ports are open and listening on your computer and what program is using those ports.

To see what programs are running and are listening on TCP/UDP ports you would use Fport or TCPView.

For example, lets say a hacker uses the RPC/DCOM exploit that came out recently to get a command shell to your computer. They download and install SubSeven on your computer. As many installations of SubSeven use the default TCP Port 27374 it makes it very easy to spot this Trojan running on your computer.

By running Fport you would see the following (Formatting is a little messed up here):

FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
636 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
4 System -> 445 TCP
660 svchost -> 27374 TCP C:\WINDOWS\System32\s.exe

From looking at this output you can see that you have a program in the directory c:\windows\system32 called s.exe. Right off the bat, that file name looks suspicious let alone the port it is listening on.

You would then go into task manager, kill the process, and then delete the file. You should look around some more and see if there are any other files that have the same creation date, as hackers generally leave more than 1 file behind.

If you cannot kill the process via task manager, then you would want to check the services and see if the program is running as a service. If it is, stop the service, and then try to delete the file.

You can also see if you can find out how the program is being started on boot up. I find this is generally in the registry for non-services. The key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are other registry entries, especially for services, that can load a program on startup. You can launch regedit and search for the filename and see what comes up.

Other places to look for where programs can be launched at startup are:
Autoexec.bat
Winstart.bat
Win.ini
System.ini
The Startup folder.

What if Fport or TCPView says there is a program running but I cant find it!!!?!?

Cleaning up a hack in this scenario is much harder as a Root Kit is generally hiding the Trojan/Backdoor. Root Kits are programs that allow you to hide registry entries, service entries, processes, directories or filenames. Though more common in Unix hacks, they are starting to become more prevalent in Windows based hacks as well.

Don’t worry though, there are still ways to detect these Root Kits and clean them up. Since these Root Kits are running as processes on the hacked machine, they only stop the hacked machine from seeing the registry entries, directories, files, processes or services. The Root Kit does not affect other machines looking at the files or drives.

There are a few ways to connect to your machine or drives in order to see the files:

One way is to just share your C: drive and connect to your machine from another computer. That remote computer can be another Windows Computer, or my favorite, using Linux and it’s smbclient.

When connected through another computer you can see all the files and directories that are normally hidden, sort by date, and see the files that should not be there.

If you need to remove registry entries you can connect to the registry remotely from another computer using Dameware NT utilities, or use another program like it. Due to the fact that you are connecting to your computer from another computer, where the Root Kit is not affecting what you see, you will be able to see all hidden objects.

If you do not have another computer at your disposal you should make a bootable disk and boot off that disk. You will then be unaffected by the Root Kit and be able to delete files at your whim.

If your volumes are NTFS volumes, it can be a little harder. You can use a bootable CD that contains a linux distrubitions such as the following:

http://trinityhome.org/trk/
http://fire.dmzs.com/

Both of these distributions offer NTFS support and forensic utilities. You can also use the NTFSDOS program that I reference above. That is a great program, but the functionality really increases when you have a licensed version of it. When you have the licensed version of it you are able to make a bootable floppy and all the NTFS drives are mounted and visible, but now you can also write to it instead of only being able to read from it.

Other Hacks? And are they detectable?

What I have covered so far are the more generic hacks that are used. They are the most common and can be detected with the methods above. This tutorial, though, can not cover all possible hacks and ways to detect them. I will give a brief summary on some other types of hacks, but will not go into removing these types of hacks, as they can be a tutorial unto themselves. A simple google search can provide that information.

Alternate Data Streams: Alternate Data streams were introduced into NTFS volumes to support the Macintosh Hierarchical File System and are widely undocumented. With the use of Alternate Data Streams or ADS, a hacker can hide files, even executables, and make them almost invisible to the operating system and therefore yourself. There are tools out there such as LADS that will enable you to see ADS files, but they will not delete them. Luckily, even if a executable Internet application is hidden using ADS, fport will still detect them. They will show up as :somefilename or somefilename:somefilename2.

Kernel and Device Driver hacks: An experienced hacker may have the knowledge to actually patch/intercept system drivers, device drivers, or system calls. This will enable them to issue commands to the OS as Ring0 or at a "Operating System Kernel Security Level". If hack like this occurs, usually the best situation is to backup your data and reinstall the OS. This is because if they have such access to the box, then you really can not be sure what else has been compromised.

Conclusion

Ultimately, the decision is yours to try to clean up the box and continue using it, or to reinstall the OS. In some situations you definitely clean up the hack and continue using the box, but in others the safest bet may be to do a reinstall. That must be a judgement call you make.

I hope all of this helps and if you have any questions, please do not hesitate to ask/

Grinler
grinler@yahoo.com


08-08-03: Tutorial updated to include more advanced hacks such as ADS and Ring0 Hacks.