Home > Security Tips > > How to tell if you've been hacked: Signs of a compromised system
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


How to tell if you've been hacked: Signs of a compromised system


Vernon Haberstetzer, Contributing Writer
03.21.2005
Rating: -3.83- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Worst case scenario: You have a funny feeling you've been hacked, but you're not quite sure what to do next. If you're like most IT people, you don't necessarily know where to look for evidence that shows a system has been compromised, so how can you tell you've been hacked? Let's look at a few of the more common pieces of evidence that you may find after a system breach.

To start, suspicious-looking user accounts (those that lack the characteristics or conventions that should be present in most valid user accounts) should be disabled and researched to determine who set up the account and why. Audit logs will show who created such accounts if proper auditing is turned on. If it's possible to determine the date and time the account was created and the account turns out to be the result of a hack, you'll have a timeframe in which to look for other audit log events that may correspond.

To find out if a rogue application is listening for incoming connections, which could be used as a backdoor port for the hacker, use tools such as TCPView from Microsoft Windows Sysinternals or Fpipe from McAfee Inc.'s Foundstone division. These Windows utilities show what applications are using any open ports on your system. For Unix systems, use netstat or lsof, which are built into the operating system. Since it is possible for a clever hacker to replace netstat and lsof programs with Trojan versions (that don't show the ports opened by the hackers) it's best to scan a compromised system from anothe...



r computer, using the free Nmap port scanner. This will offer two different views of the system's open ports. < p>A hacker who compromises a Windows server may add or replace the programs launched via the registry from the following areas:
  • HKLM > Software > Microsoft > Windows > CurrentVersion> Run
  • HKCU > Software > Microsoft > Windows > CurrentVersion> Run

Malicious software also may be launched from the operating system's job scheduler. To see what jobs are scheduled to run on a Windows system, go to a command prompt and type AT. On a Unix system, use the cron or crontab commands to see the list of jobs scheduled to run.

Hackers who have compromised a Unix system may have used a rootkit, which helps the hacker obtain root access by exploiting vulnerability in the operating system or installed applications. Since numerous rootkits are available to hackers, it can be difficult to determine which files have been modified. There are programs to assist with this task, such as chrootkit. There are so many possible ways for a hacker to cover his tracks, but looking for the items above is a good start on your journey toward determining if you've been hacked.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.


Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Information Security Threats,   Emerging Information Security Threats,   Hacker Tools and Techniques: Underground Sites and Hacking Groups,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Emerging Information Security Threats
Best practices for (small) botnets
Cybersecurity grant to fund research into critical infrastructure threats
RSA security conference 2010: news, interviews and updates
Hackers to sharpen malware, malicious software in 2010
Modern malware, stealthy botnets, adapt quickly, expert says
New ransomware Trojan pushes victims to buy software
Bruce Schneier on outsourcing, awareness training
Marcus Ranum on cyberwarfare, infosec careers
US-CERT warns of BlackBerry snooping software
Researchers find thousands of flawed embedded devices

Hacker Tools and Techniques: Underground Sites and Hacking Groups
Russian cybercriminals target H1N1 Swine Flu fears
Metasploit Project acquisition ups ante for penetration testing market
Successful rogue antivirus hinges on social engineering
DEFCON survey suggests hacker community on vacation
DoD urges less network anonymity, more PKI use
New hacker skills optimize revenue
Maturing cybercriminal economy buoyed by business savvy hackers
Juniper pulls ATM hacking presentation from Black Hat
Botnet platform helps cybercriminals bid for zombie PCs
Man pleads guilty in online banking hacking scam

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
DNS rebinding attack  (SearchSecurity.com)
drive-by pharming  (SearchSecurity.com)
JavaScript hijacking  (SearchSecurity.com)
man in the browser  (SearchSecurity.com)
phlashing  (SearchSecurity.com)
polymorphic malware  (SearchSecurity.com)
pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Research Solutions for Network Security, Access Control and Security Threats
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts