Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tracking Hackers


  • Please log in to reply
51 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 16 December 2010 - 10:58 AM

Hello Everybody ! I'd like to know what I'm looking at here.

According to the following ;

Search for additional Internet activity. You should only have one connection, using one port. If a hacker has gained access to your system, an additional port will be in use. Running the command from the previous step will allow you to see what IP address the hacker is using, the hacker's hostname and the port number he is connecting through. It is possible to shut down the port and block the IP address, but for the moment, let's trace down who is gaining access to the computer and track what they are doing.

How To Track Hackers

I'm not sure what I am looking at here, is there more than one connection, since it seems to say that if there is I may have someone hacking me ?

Posted Image

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:27 PM

Posted 18 December 2010 - 03:37 AM

I can't help you because you blurred the Foreign Address.

I suggest you do the following: download TCPView from Microsoft Sysinternals http://technet.microsoft.com/en-us/sysinternals/bb897437
Close all the applications you use to connect to the Internet (your brower, IAM client, ...).
Start TCPView.
Sort on column State and review the connections marked as established.
If you find Established connections you can't explain, report them back here and we'll take it from there.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 18 December 2010 - 12:54 PM

Hi Thanks, . .
The reason I blurred this out is because I didn't know what I should keep private as I did not want to display information that might make matters worse, but OK I'll check into your suggestion and get back to you.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#4 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 18 December 2010 - 02:56 PM

I have the TCP View Report and it seems to red line and then yellow line, I guess that has something to do with the connection(s) ?

What would you like me to do, . . I'll post the information that won't compromise my privacy, etc.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:27 PM

Posted 18 December 2010 - 04:18 PM

Lines that appear in red are connections, listening ports, ... that have been closed.

Close all the applications you use to connect to the Internet (your brower, IAM client, ...).
Start TCPView.
Sort on column State and review the connections marked as established.
If you find Established connections (with a Remote Address on the Internet) you can't explain, report them back here and we'll take it from there.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 18 December 2010 - 06:53 PM

Please tell me will you need local and remote addresses ?

If so you you will need to instruct me.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#7 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 18 December 2010 - 07:34 PM

Didier,

This may take me a little time to sort through and understand, . . .

but the colored lines were actually just flashes when I started this up, . . they are no

longer showing up.

I'll need to study how and what I have here, . . so give me a little time and I'll get back

to you, . thanks.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#8 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 18 December 2010 - 08:00 PM

Checking processing properties for each entry,

I find that the last (2) entries ;

System 4 TCP CPQ_ _ _ _ _ _ _ microsoft-ds CPQ _ _ _ _ 0
LISTENING

System 4 UDP CPQ_ _ _ _ _ _ _ microsoft-ds * *

Show;
Unable to Process Properties ???

All other entries seem normal .

Edited by Jove, 18 December 2010 - 08:00 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:27 PM

Posted 19 December 2010 - 05:24 AM

That's a port of a Windows service you need: http://www.grc.com/port_445.htm

Just make sure it's not open to the Internet. If you're using a NAT-router or a host firewall, you're OK.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:02:27 PM

Posted 19 December 2010 - 02:53 PM

Search for additional Internet activity. You should only have one connection, using one port. If a hacker has gained access to your system, an additional port will be in use.

This is erroneous. A non-infected, non-hacked computer will also usually show many more than one active port. While it is true that a malicious connection would be listed, the kind of direct one-to-one attack the author of that How-To is targeting is so rare as to be almost mythical, outside of Hollywood.

#11 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 19 December 2010 - 04:00 PM

Hello Bleepin Night Watchmen,

For the sake of conversation and or possible interest, . .

Using TCP View,

I don't see any of the references to foreign addresses as I do

in the Netstat connections,

but I do see that there are multiple ports being used under what seems to be a similar address

Posted Image


Posted Image

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#12 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 19 December 2010 - 04:28 PM

Foreign Address in Netstat is the same as Remote Addresses in TCPView.

#13 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 19 December 2010 - 06:03 PM

Thank you kind sir, . .

Can you tell me what the red, yellow, green lines mean ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#14 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 19 December 2010 - 06:34 PM

The red were explained in post #5 by Didier Stevens. Green are open\established connections.

Have forgotten what the yellow are. :blush:

Edited by ThunderZ, 19 December 2010 - 06:35 PM.


#15 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:05:27 PM

Posted 19 December 2010 - 06:47 PM

Hey ThunderZ, How goes it?

Sorry in the excitement of the moment I over-looked it, to one extent or another.

Shame on me.

This stuff although I must say is greek to me, I know if I get into it, sooner or later it'll smooth out to some useful knowledge.

Thanks for getting me back on track.

Its all these pokers, I got in the fire, but I don't think I'm being hacked, so that's a little ahead of where I was.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users