Is your PC Hacked?

Go down

Is your PC Hacked?

Post  wewx_xwew on Fri Oct 22, 2010 7:49 pm

How do u detect it ?
[center]This is the best method to determine if your system has been compromised, but it requires that you:


A. have a basic understanding of the state of an "active connection" and

B. that you're familiar with the port numbers commonly used by the trojans.
With regards to the state of an "active connection". There are several types, but there's really only one type that you need to know about.

The "listening" state - which is when your PC listens on a port number, awaiting for another PC to make a connection to it. The "listening state" is the state that the trojan will be in after your system is rebooted.

NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.

In their default configurations, the following trojans use:

Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426

Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001

How to detect them?

If after following the directions outlined further down below, you've determined that your PC is "listening" on any of the above ports. It's a very strong indicator that your PC has been compromised. Click the appropriate link to learn how to remove the trojan involved.

Important Notes:

Although Back Orifice and NetBus are commonly found to be configured to use their default port/s in establishing the connection between the client and server, they have been found to be configured to use different port/s.

Regardless what port/s they may be configured to use, the important thing to know is that if your a home user (and your PC doesn't participate on a LAN or a SoHo LAN), your PC shouldn't be "listening" on any port (or ports) after it's been rebooted.

Keep in mind that for some PC's that are connected to a LAN or a SoHo LAN, it is common for certain ports (137,138 and 139) to be listening. Such ports are used for NetBIOS, and sometimes port 135 (RPC) may be used as well.


How to determine what ports are "listening"

Step 1. - Reboot your PC. Do NOT establish a dial-up connection.

Click Start | Shut Down
Click Restart
Click OK

Step 2. - After you reboot your PC and before doing anything else, open a DOS window.

Click Start | Programs | MS-DOS Prompt

NOTE: If you don't have a shortcut to the MS-DOS Prompt, don't worry. You can


Click Start | Run
Type command
Click OK

Step 3. - Type "netstat -an >>c:\netstat.txt" (without the quotes)
Type netstat -an >>c:\netstat.txt
Press ENTER

Step 4. - Close the DOS window.


Step 5. - Open Explorer

Click Start | Programs | Windows Explorer

Step 6. - Change to the C drive and double click on the netstat.txt file. It should open with NOTEPAD.


Click (C:)
Double-click netstat.txt

Step 7.
Look under the "Local Address" column and examine the port numbers for any connection found to be in a "listening" state.


For reference, the port numbers are shown as ":XXXXX" to the right of the IP address, where "XXXXX" is a 1 to 5 digit number.

Provided below are some examples of what you may might find:

The above example is typical of a home user's PC. The system (after a reboot) doesn't show any active connections. If your system looks like this, then congratulations! You have nothing to worry about.

The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion, and whereby it's been configured to use the port 31337 (the default).

The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion, and whereby it's been configured to use port 31337 (the default).

If your system shows any ports in a listening state that you cannot identify or explain. It might be wise to further investigate the possiblity that your system may be compromised with one of these trojans using a different port other than the default/s.



NOTES:

Some ports that may be found in a listening state include:

FTP, which uses TCP port 21
Telnet, which uses TCP port 23
Gopher, which uses TCP port 70
HTTP (a webserver), which uses TCP port 80

If you do find your system "listening" on any of these ports. You should know whether it should or shouldn't be. If it shouldn't be, then it's wise to further investigate the possiblity that your system may be compromised with one of the trojans using a different port other than the default/s.
avatar
wewx_xwew
APA Member

Posts : 10
Points : 14896
Reputation : 0
Join date : 2010-09-25
Age : 28
Location : In yOur Dreams

Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum