How do you check for evidence of being hacked.
If you think your computer has been hacked, investigate for unusual user account
names that have suddenly appeared and for open TCP/UDP Ports
. There are several standard (common) user account names and ports that are supposed to be there and if you see these accounts or ports, they are typically not a cause for concern as they are most likely legitimate:
• Common TCP Ports
include 135, 139, 445, 1030, 5152.
• Common UDP Ports
include 137, 138, 445, 500, 4500, 1900.
To view what user accounts are on your system, click
> Control Panel and double-click on User Accounts
You can use netstat
, a command-line tool that displays incoming and outgoing network connections, from a command prompt
to obtain Local/Foreign Addresses, PID and listening state.
- netstat /? lists all available parameters that can be used.
- netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
- netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
- netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
- netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with parameters -a, -n, and -p as shown below:
-- If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it. A "listening
" state is when a program on a computer listens and waits on an open port to accept (establish) a connection with a remote computer on another port. See what is the Difference between Established/Listening Ports?
Once you obtain the information with netstat, run a traceroute
to trace the path of the connection, find the location and ISP used by the hacker. To run a traceroute, open the command prompt again and type: tracert ip address/hostname
(replace "ip address" and "hostname" with the relevant information you collected).TCPView
is a third party utility that will allow you to view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Other investigative resources:
Is it possible to tell from any logs ( like OTL ) if a system is compromised ? Would it be possible to post such a log.
Yes but they are not permitted
in this forum. If that is something you want to do, then please read the "Preparation Guide
- If you cannot complete a step, then skip it and continue with the next.
- In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log
in the Virus, Trojan, Spyware, and Malware Removal Logs forum