Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking (http://www.go4expert.com/forums/ethical-hacking-forum/)
-   -   Intrusion Alert (http://www.go4expert.com/forums/intrusion-alert-t121/)

vishal sharma 16Aug2004 13:20

Intrusion Alert
 
:cool:

I wana thanx a dear friend and fellow hacker Codelock for passing this article to me
Codelock u rock


Many people live under the impression that if they follow all the computer security safety rules, they are 100% safe from crackers. Unfortunately, even if you do follow all the rules, there are still many ways for you to have your privacy invaded, and thus, I have decided to write a little tutorial as to how to act if you think you are getting hacked.
1. The first sign of possibly being targeted for an attack is being port-scanned. In short, port-scanning is basically trying to find if there are any "open doors" to your computer. If you have a firewall (which you should), then it should make some kind of an alert telling you that you are being port-scanned. However, many crackers scan hundreths of IP addresses at the same time, so if you are getting scanned, it does not always mean that you are getting hacked.

2. If you think you are getting hacked, you must first remain calm. Don't start panicking and thinking that the cracker is going to destroy your computer. Remember, calmness is the key.

3. Decide if you are truly getting hacked. If the port-scans just keep on going, and you have are seriously worried that you are being a target, then you must take action. First of, find out the IP of the attacker. IP (Internet Protocol) are four sets of numbers that help identifying each computer. Beware though, if the cracker is any good, they will most likely spoof their IP address, so if you manage to trace them (I will talk about tracing little later) you may trace it to some innocent 6-year old on his first computer. If you have a good firewall, you should look into the logs (*Logs are the places where all of the traffic gets logged. Depending on the firewall, the logs are in different places, but they should be clearly visible for you) where it will show their IP address. You have two options. In some firewalls, such as the Sygate Personal Firewall, you have the option to backtrace the attacker. If succesfull, you may even get their adddress. There are also many other programs, which shows you a visual route of where the attacker is. The other way could be considered more "leet" so I am going to teach you how to trace someone through DOS (Disk Operating System). DOS is basically a shell in Windows, which means that you can type commands into it that the computer understands. So, go into DOS
(Start>run>type "cmd" without the quotes") If you are on Windows 95 or 98, do the same thing, but type "command" instead. You should now see a black screen with some letters on it. Type this: tracert yyy.yyy.yyy.yyy
Of course replace the y's with the actual IP address. Also, depending on the operating system, you may need to type traceroute instead of tracert. You can test this out on yourself. Just type: tracert localhost

You should get something like this:

Tracing Route to <your computer name> [127.0.0.1]
over a maximum of 30 hops:

1. ə ms ə ms ə ms localhost [127.0.0.1]

Trace Complete

Let's go over what this means. First of, the 127.0.0.1 is your Loopback IP address. Every computer has an ip of 127.0.0.1, but that's not their real IP, it's just another way of saying "localhost", which is your own computer. The ms stands for milliseconds, which just shows how long the packet had to travel to reach that ip adddress. If you would be doing this to the attacker, there would be a lot more lines, and on the last line, you should see their ISP. ISP (Internet Service Provider) is just the company that provides them with the Internet)

4. If your attacker is stupid and does not spoof his IP, then you will get the real ISP and his real IP address. What you can do now is save those logs that have his port-scans in it and send them an email. If it is good enough, your attacker will have to find another ISP, since they will kick him out :)

Scenario 2: Attacker is inside
--------------------------------------------------------
The steps that I described above could be taken if the attacker is just attacking you, but what if he/she is already inside your computer? What if they gained access over night when you were sleeping? If that happens, there is a lot more steps that you have to do. First of, you should check your firewall logs to see if any traffic has been recorded. If you are sure that they got in, you should immidiately unplug the modem from the wall. This would ensure that if the attacker is still inside, it would cut him of. I am sorry to tell you this, but you are going to have to do some major investigations now.

1. Do AV scans. The first thing you should do is check if the attacker installed any viruses on your computer. Start up your AV and let it scan your entire system. Even if it takes 5 hours, let it run. If it finds anything, make sure to get rid of it. If it doesn't, then at least you don't have any viruses.

2. Scan for Trojan Horses. A trojan horse is basically a program that lets the attacker execute commands on your computer. This means that if you have one installed on your computer, the attacker could open your cd-drive, mess with your printer, scree, etc. Basically, you would be screwed. The AV should automatically get rid of it, but if you want to be sure, go to www.download.com, search for "trojan removers" and it will come up with a bunch of trojan scanners and removers. Make sure though that you are not on the Internet, so that the attacker can't connect to you.

3. Check the processes. If you press Ctrl+Alt+Del, and then processes, you should see a bunch of things. These are basically the things that are taking place in your computer. Try to look for anything that looks suspicious, and if you find something, kill the process. I can't tell you what you should for exactly, which is the exact reason to get familiar with your computer and know what are its settings.

4. Check the registry. Basically, registry holds all the computer files. If someone would really wanna mess up your computer, they would attack the registry. Once again, try to look for anything unusual. There is one place through where you really should look:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersionRun]

What you see on your right side are all of the things that start when your computer starts up. Once again, make sure you delete anything that looks like it's a bad thing. If you are unsure, you can always back up the registry by going to File>Export>and then just either saving the key or the whole registry. You should name it something like backup.

5. Discover how they got in. This can be the hardest part of the entire process. You should definitely see if there are any windows updates, and if so, then they most likely used the discovered exploit that you aren't patched against. You should also update EVERYTHING on your system, such as the firewall, AV, etc.

6. Getting back. After you are sure that there are no more bad things on your computer, you may put it back online. If, however, something similar happens, you should most likely seek professional help.

Tips and Ideas:
--------------------------------------------------------
This is just a few things to keep in mind:

1. You should make regular back-ups of your whole system. If you get hacked, you can just load on the back-up, thus eliminating any kind of bad software.

2. Get Tripwire. There is a program called Tripwire (Do a search for it) that takes a "snapshot" fo your system, and is then able to identify if any files have been messed with. It costs money, but it's really worth it.

3. Change all the passwords. This should have been in the actual guide, but it's always a good idea to change your passwords for everything, including your computer, firewall, etc.

4. If yu have some serious damage, you could call the cops, but don't do that unless your computer was seriously damaged.

5. Have your important system files encryped, so that the attacker won't be able to read them, unless they know the algorithm, and know how to crack it.


more later....


All times are GMT +5.5. The time now is 01:30.