How to tell if you've been hacked: Signs of a compromised system

In this final section in our hacker techniques and tactics series, you will learn how to determine if a hacker has breached your system.

Worst case scenario: You have a funny feeling you've been hacked, but you're not quite sure what to do next. If you're like most IT people, you don't necessarily know where to look for evidence that shows a system has been compromised, so how can you tell you've been hacked? Let's look at a few of the more common pieces of evidence that you may find after a system breach.

To start, suspicious-looking user accounts (those that lack the characteristics or conventions that should be present in most valid user accounts) should be disabled and researched to determine who set up the account and why. Audit logs will show who created such accounts if proper auditing is turned on. If it's possible to determine the date and time the account was created and the account turns out to be the result of a hack, you'll have a timeframe in which to look for other audit log events that may correspond.

To find out if a rogue application is listening for incoming connections, which could be used as a backdoor port for the hacker, use tools such as TCPView from Microsoft Windows Sysinternals or Fpipe from McAfee Inc.'s Foundstone division. These Windows utilities show what applications are using any open ports on your system. For Unix systems, use netstat or lsof, which are built into the operating system. Since it is possible for a clever hacker to replace netstat and lsof programs with Trojan versions (that don't show the ports opened by the hackers) it's best to scan a compromised system from another computer, using the free Nmap port scanner. This will offer two different views of the system's open ports. < p>A hacker who compromises a Windows server may add or replace the programs launched via the registry from the following areas:

  • HKLM > Software > Microsoft > Windows > CurrentVersion> Run
  • HKCU > Software > Microsoft > Windows > CurrentVersion> Run

Malicious software also may be launched from the operating system's job scheduler. To see what jobs are scheduled to run on a Windows system, go to a command prompt and type AT. On a Unix system, use the cron or crontab commands to see the list of jobs scheduled to run.

Hackers who have compromised a Unix system may have used a rootkit, which helps the hacker obtain root access by exploiting vulnerability in the operating system or installed applications. Since numerous rootkits are available to hackers, it can be difficult to determine which files have been modified. There are programs to assist with this task, such as chrootkit. There are so many possible ways for a hacker to cover his tracks, but looking for the items above is a good start on your journey toward determining if you've been hacked.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.

 


HACKER ATTACK TECHNIQUES AND TACTICS

  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
    Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked


 

This was first published in March 2005

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close