Robert Hurlbut Blog

Have you or a friend of yours been hacked?  I am referring to the way an attacker can exploit your computer through a missing patch, or an open port that needs to be closed, and essentially now “owns” the machine.

Dana Epp has posted a link to an introductory article that tries to answer the question “How do I go about seeing if I have been hacked?”:

The guys over at Bleeping Computer have written a tutorial that will show you how to determine if your Windows NT, XP, or 2000 box is hacked and how you can go about cleaning up the files they may have left behind.

The tutorial shows you how to detect most hacks, but there are other methods that will be much harder to detect and will require a greater degree of knowledge in detecting them. The author believes that most of the hacks that are done in mass, especially by the script kiddies, will be detectable through these methods.

Dana lists the tools mentioned in the article for performing a simple forensic analysis on your Windows system:

• Fport - Lists all open ports (Think nstat like)
• TCPView - Similar to Fport, but graphical, and shows more info such as CLOSED connections (very important post analysis)
• Process Explorer - A great tool from Sysinternals which shows parent/child relationships with processes
• PSTools - A set of cmd line tools used to open and kill processes, control servives, change passwords etc
• Filealyzer - Windows explorer shell extension to your right click on a file

This is great for your friends and family members who may be wondering and asking you this question.