Join 3,514 readers in helping fund MetaFilter (Hide)


How to tell your machine has been hacked?
March 3, 2005 4:45 AM   Subscribe

I am looking for the definative method for determining if my machine has been hacked. I don't trust antivirus software and was thinking of looking into packet sniffers but wasn't sure if that was the place to start.
posted by Wong Fei-hung to Computers & Internet (16 answers total)
 
Define 'hacked'. Do you mean a keylogger? An all-purpose trojan? Someone secretly creating their own account?
posted by Jairus at 4:49 AM on March 3, 2005


It would probably be useful to know OS, as well...
posted by jpburns at 5:07 AM on March 3, 2005


If it's Windows, one useful tool is Sysinternals' new Rootkit Revealer.
posted by llamateur at 5:20 AM on March 3, 2005


1. The only definitive method to avoid trouble is to not connect the internet and to not use software written by anyone but you, and even then someone at the manufacturer might have hacked your microcode.

2. If you don't trust antivirus software, you don't trust the antivirus experts and you're on your own.

But if you want to try some pretty good software written by some pretty good engineers, start with some of the programs listed under "External links" at the Wikipedia page on Spyware. How about HijackThis?
posted by pracowity at 5:22 AM on March 3, 2005


If it's a Windows machine you can also bring up a command prompt and run "netstat -a" . This will give a listing of all the network connections to/from your computer and give you an idea if it's listening on any known exploit ports. It's usually a good, quick, way to see if someone has remote access to your box.
posted by white_devil at 5:26 AM on March 3, 2005


pracowity, most antivirus manufacturers won't include common trojans that are commercial in nature, for fear of being sued. I can fill a computer to the brim with malware that'll never show up in a virus scan.
posted by Jairus at 6:26 AM on March 3, 2005


While we're on the subject, can any of you recommend a good packet sniffer for Windows? I tried one a few years ago (which is the very thing that clued me in to a Conducent spyware problem)... but it was a demo that only ran for 15 days and wanted something like $200.
posted by rolypolyman at 6:31 AM on March 3, 2005


rolypolyman, I use Ethereal. If you've got cash to blow, EtherPeek is pretty nice, too.
posted by Jairus at 6:37 AM on March 3, 2005


If you want to be academic about this, you should get a trusted machine with a good packet sniffer, like Ethereal, installed in front of the questionable machine on the network. Stop every network service you personally know of on the questionable machine, and then watch the traffic coming and going. If you see something peculiar, you might be able to do some more research and find out what type of exploit could be responsible.

There are more effective ways to deal with the problem if you're not particularly interested in the details. If you don't trust the system, back up your important non-executable files, wipe the disk and reinstall from trusted media.
posted by odinsdream at 6:55 AM on March 3, 2005


I've become a huge fan of Ethereal lately. I installed it on my laptop (1.25GHz PowerBook) and I use it at work all the time. It's decoding of NCP is pretty slick.

Back in September a friend of mine moved to a different ISP and they kept shutting off his internet connection. Even after he ran all his updates and did a complete scan with McAfee they still said he was sending out bad traffic. I went over with Ethereal, did a little sniffing, and within an hour we'd found the culprit and cleaned him up.

So no, I don't think that packet sniffing is too drastic of a measure. Once you get used to doing it you'll wonder how you ever managed to diagnose these problems before.
posted by sbutler at 8:01 AM on March 3, 2005


Between Ethereal and SysInternals tools (procview, tcpview, etc.) you should be able to stay pretty safe. Even if you have never used a packet sniffer before, you'll find Ethereal to be very straightforward to use and, imo, a lot of fun.
posted by sonofsamiam at 8:33 AM on March 3, 2005


I'm surprised no one has mentioned this, and I've been using OS X for two years (so take this with a grain of salt), but if you're looking for a first indicator of malware or a trojan on your Windows XP system, turn off all YOUR programs, and use control-alt-delete to bring up the Task Manager, then switch to the Network pane. Any activity here can indicate malware.

Packet-sniffing is a tool for monitoring network traffic, so if your system has been locally compromised, this does nothing for you. Additionally, a truly intelligent cracker would find ways to make his traffic very hard to recognize.

To echo what was said earlier though, I think we still need to know more about your specific problem to give you better advice.
posted by onalark at 8:48 AM on March 3, 2005


If your machine is hacked, these tools do absolutely nothing to assure you of your machine being clean. Any hacker worth her salt will install a kit that will present security tools with misinformation along the lines of "nothing's wrong". What's worse, these security tools only catch known exploits or corrupted files, so new exploits sneak right in, no problem.

The only way to be absolutely sure of the integrity of your files is through a package like Tripwire (commercial | open-source), which you install on a newly-installed machine that has not been connected to the network, and has not had much use since its operating system was installed. You can't install Tripwire afterwards, to have much assurance of its integrity.

In a secure configuration, Tripwire and the like generate hashes (like signatures) from every file on the computer and store them on a read-only medium (like a printer, or other one-way medium). If a file is changed, or a new file is added, the signatures and signature table change. Tripwire will tell you which files changed and when.
posted by AlexReynolds at 9:16 AM on March 3, 2005


Hey All - My apologies for leaving out the Operating System - it is a windows xp dell laptop. I keep looking at the bytes sent information and it seems too high. It is usually about half of what I download, sometimes 2/3 rds. I've got Norton, Spybot Destroyer, Adaware - running the Windows XP Firewall and the Norton Internet Security Firewall.

Norton Always Turns Up Bupkis.

What I mean by hacked is if my machine is being used to gather my personal information or the presence of a Trojan.

The laptop is on Wireless Network. Would a Packet Sniffer see all of the packets go to and from the machine?
posted by Wong Fei-hung at 10:40 AM on March 3, 2005


The laptop is on Wireless Network. Would a Packet Sniffer see all of the packets go to and from the machine?

Depends. If you use WEP or the network is open, then yes. If you use WPA (?Enterprise?) or a VPN solution then no.
posted by sbutler at 1:13 PM on March 3, 2005


Bruce Schneier pointed out this great technique called GhostBuster (which is only a research prototype at Microsoft, and not available) for telling if programs on a computer are lying to you about their existence.

Basically, the program on a CD scans all of the files, then you reboot the machine from the CD and scan again. Any mismatch indicates that there's some persistent stealth program running hiding details.
posted by Caviar at 4:05 PM on March 3, 2005


« Older I'm moving into a new apartmen...   |  Is Eye Movement Desensitizatio... Newer »
This thread is closed to new comments.