Posted 12 September 2003 - 09:23 AM
would find it informative. If you like the tutorial and want me to write
some more on security, just send me an email and I will whip some up.
Windows Forensics: Have I been Hacked?
When reviewing a lot of the posts I see that there are many topics that ask the
same question. How do I go about seeing if I have been hacked?
I am writing this Tutorial for these people. In this tutorial I will show you
how to determine if your Windows NT, XP, or 2000 box is hacked and how you can
go about cleaning up the files they may have left behind. This tutorial should
show you how to detect most hacks, but there are other methods that will be much
harder to detect and will require a greater degree of knowledge in detecting
them. In my experience, though, most of the hacks that are done in mass,
especially by the script kiddies will be detectable through these methods.
Almost all the utilities that I will use in this Tutorial are freeware and
downloadable. I have also included in the next section a list of these programs
and their locations. Please note that this tutorial primarily focuses on Windows
XP, 2000, and NT as some of these utilities do not work on the earlier versions
of Windows. Some of the discussion in this tutorial may be advanced to some
users. Please feel free to message or email me if you have some questions or
The utilities you will need for this Tutorial are as follows:
This is a console utility that is run from the command line. When you run it, it
will list all listening TCP/UDP ports on your system and the program that is
using those ports.
This is a similar program to Fport, but shows it in a graphical interface. This
program not only shows listening ports, but also established and pending connect
and closing connections. Some people prefer this more.
This program will list all open processes and delineate between the parent
processes and the processes that are spawned by the parent. This is a very
This is a collection of console command line tools that can list open processes,
kill processes, as well as many other useful functions.
This is only necessary if you have NTFS Volumes. This program will allow you to
create a boot disk that enables you to read any NTFS Volumes that you have on
your computer. The only drawback to this program is that you need the commercial version
to actually delete/write to these volumes, as the free version is Read Only.
There are more advanced alternatives, which I will give below.
Dos/Windows Boot Disk Ė Startdisk.com or Bootdisk.com
These sites enable you to create boot disks in which you will boot the computer.
This tool adds a windows explorer shell extension to your right click on a file.
When you use Filealyzer on that file you will be able to see a lot of
information about the file. Information such as whether itís a packed exe
(save that for another tutorial) or the version information. What I use it for
is the hex dump and then the ability to list the strings found in the binary
file. From the strings you can gain a lot of useful information as to what the
program does or is.
This program allows you to remotely administer a computer/group of computers. I
was hesitant to put this on as it is not freeware, but it is such a great
Why would someone want to hack me?
There are many reasons why someone would want to hack your computer.
From my experience the most common reasons are as follows:
1. Setup a FTP Server (Pubstros) to distribute copyrighted material.
2. Setup an IRC client/bot that is used to DDOS other computers, flood IRC
users, scan/hack other computers, and to distribute copyrighted material as a
3. Use your computer to scan others or hack into other computers. This gives
them a degree of anonymity.
How can I tell if I have been hacked
Almost every remote hack involves leaving a program behind that will allow them
to get back into your computer regardless of whether or not you fix the security
problem that let them into your computer in the first place. The only time a
hacker does not leave something behind, is if they are hacking your computer for
specific information or an item. Almost 99% of the time this is not the case.
The programs that they leave behind are IRC clients that they can control from a
channel on an IRC Server or a Backdoor/Trojan.
Since these clients or Trojans must listen and wait for connections from the
hacker, they must listen on a TCP or UDP port. With that in mind, the tools that
I list above come into play. Using Fport or TCPView will allow you to see what
TCP/UDP ports are open and listening on your computer and what program is using
To see what programs are running and are listening on TCP/UDP ports you would
use Fport or TCPView.
For example, lets say a hacker uses the RPC/DCOM exploit that came out recently
to get a command shell to your computer. They download and install SubSeven on
your computer. As many installations of SubSeven use the default TCP Port 27374
it makes it very easy to spot this Trojan running on your computer.
By running Fport you would see the following (Formatting is a little messed up
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
Pid Process Port Proto Path
636 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
4 System -> 445 TCP
660 svchost -> 27374 TCP C:\WINDOWS\System32\s.exe
From looking at this output you can see that you have a program in the directory
c:\windows\system32 called s.exe. Right off the bat, that file name looks
suspicious let alone the port it is listening on.
You would then go into task manager, kill the process, and then delete the file.
You should look around some more and see if there are any other files that have
the same creation date, as hackers generally leave more than 1 file behind.<br>
If you cannot kill the process via task manager, then you would want to check
the services and see if the program is running as a service. If it is, stop the
service, and then try to delete the file.
You can also see if you can find out how the program is being started on boot
up. I find this is generally in the registry for non-services. The key is:
There are other registry entries, especially for services, that can load a
program on startup. You can launch regedit and search for the filename and see
what comes up.
Other places to look for where programs can be launched at startup are:
The Startup folder.
What if Fport or TCPView says there is a program running but I cant find
First thing is to make sure you have the options set to see all hidden files and
system files. If you are doing a directory listing from a command prompt,
make sure you use the /a flag with the dir command to see hidden files.
If you still can not see the files, then cleaning up a hack in this scenario is much harder as a Root Kit is generally hiding the Trojan/Backdoor. Root Kits are programs that allow you to hide registry entries, service entries, processes, directories or filenames. Though more common in Unix hacks, they are starting to become more prevalent in Windows based hacks as well.
Donít worry though, there are still ways to detect these Root Kits and clean
them up. Since these Root Kits are running as processes on the hacked machine,
they only stop the hacked machine from seeing the registry entries, directories,
files, processes or services. The Root Kit does not affect other machines
looking at the files or drives.
There are a few ways to connect to your machine or drives in order to see the
One way is to just share your C: drive and connect to your machine from another
computer. That remote computer can be another Windows Computer, or
my favorite, using Linux and itís smbclient program.
When connected through another computer you can see all the files and
directories that are normally hidden, sort by date, and see the files that
should not be there.
If you need to remove registry entries you can connect to the registry remotely
from another computer using Dameware NT utilities, or use another program like
it. Due to the fact that you are connecting to your computer from another
computer, where the Root Kit is not affecting what you see, you will be able to
see all hidden objects.
If you do not have another computer at your disposal you should make a bootable
disk and boot off that disk. You will then be unaffected by the Root Kit and be
able to delete files at your whim.
If your volumes are NTFS volumes, it can be a little harder. You can use a
bootable CD that contains a linux distrubitions such as the following:
Both of these distributions offer NTFS support and forensic utilities. You can
also use the NTFSDOS program that I reference above. That is a great program,
but the functionality really increases when you have a licensed version of it.
When you have the licensed version of it you are able to make a bootable floppy
and all the NTFS drives are mounted and visible, but now you can also write to
it instead of only being able to read from it.
Other Hacks? And are they detectable?
What I have covered so far are the more generic hacks that are used. They are
the most common and can be detected with the methods above. This tutorial,
though, can not cover all possible hacks and ways to detect them. I will give a
brief summary on some other types of hacks, but will not go into removing these
types of hacks, as they can be a tutorial unto themselves. A simple google
search can provide that information.
Alternate Data Streams: Alternate Data streams were introduced into NTFS
volumes to support the Macintosh Hierarchical File System and are widely undocumented. With the use of Alternate Data Streams or ADS, a hacker can hide files, even executables, and make them almost invisible to the operating system and therefore yourself. There are tools out there such as LADS that will enable you
to see ADS files, but they will not delete them. Luckily, even if a executable Internet application is hidden using ADS, fport will still detect them. They will show up as :somefilename or somefilename:somefilename2.
Kernel and Device Driver hacks: An experienced hacker may have the knowledge to
actually patch/intercept system drivers, device drivers, or system calls. This
will enable them to issue commands to the OS as Ring0 or at a "Operating
System Kernel Security Level". If hack like this occurs, usually the best
situation is to backup your data and reinstall the OS. This is because if they
have such access to the box, then you really can not be sure what else has been
Ultimately, if you feel you have been hacked the decision is yours to try to
clean up the box and continue using it, or to reinstall the OS. In some
situations you can definitely clean up the hack and continue using the box, but
in others the safest bet may be to do a reinstall. That must be a judgement call
you make on your own.
I hope all of this helps and if you have any questions, please do not hesitate
Posted 12 September 2003 - 09:49 AM
Welcome to GSO Grinler! Looking forward to hearing more from you!
Posted 12 September 2003 - 10:05 AM
Posted 12 September 2003 - 10:09 AM
Would you like to earn money posting on GSO?
Posted 12 September 2003 - 11:28 AM
Posted 12 September 2003 - 06:02 PM
Posted 12 September 2003 - 06:16 PM
even if it could go a little further ^^ i wish
i was patient or even get the time to write one too ^^
anyway thnxs for sharing this ^^
Posted 21 September 2003 - 01:42 PM
thanks & rgds
Posted 22 September 2003 - 11:17 AM
Also tagged with one or more of these keywords: php, tools, shell, ddos, patch, tutorial, backdoor
Exploiting & Hacking →
Security Video Demonstrations →
General GSO →
Open Topic →
Download Archive →
Requests Archive →
Exploiting & Hacking →
Exploit Research & Discussion →
Exploiting & Hacking →
Exploit Research & Discussion →