Re: Signs Your Computer is Hacked or Owned

From: Joe Fitzsimons (joseph.fitzsimons@eircom.net)
Date: 02/04/03


From: "Joe Fitzsimons" <joseph.fitzsimons@eircom.net>
Date: Tue, 4 Feb 2003 17:12:52 -0000

I was going to answer them all, but I got bored. And before you say it, I
know some are overly simplistic.

> SIGNS YOUR COMPUTER IS HACKED/OWNED:
>
> 1. Hackers disable your Daylight Savings Time

Or you set it up wrong, or you battery ran out, or ...

> 2. The clock on the desktop can be one hour behind or one hour ahead on
> occasion.

see above

> 3. Your Network Places Icon on the desktop disappears.

This means that you have removed client for microsoft networks, not that you
have been hacked

> 4. If using a Windows platform, when you start your computer, your
> original screen will pop up, but since the hackers need to boot into
> their Server(s), the system will quickly re-boot and the original screen
> will appear twice instead of only once. Your system may re-boot twice
> instead of once when loading Windows OEM versions.

No, those would be your dos drivers loading up.

> 5. If your computer system occasionally re-boots on it's own, again,
> the hacker may need to update their Hosts or Servers to make the
> computer system function properly.

Or you broke windows ... again

> 6. If you play Yahoo Games, you may find yourself being kicked out of
> the board your playing in. What is worse is if your winning a game and
> your the host of the board, the hacker may kick you out and not let you
> back in. When a computer system is hacker proof, you will rarely get
> booted out of a Yahoo Game. When the computer was hacker proof I went
> back to playing games and haven't been booted out of a game, yet.

You sure your not getting kick-banned by an admin?

> 7. A browser/email application you install to filter out or kill file
> certain individuals on the internet will not work for a long time. When
> your computer system is hacked, you aren't able to filter out people in
> your browser or email application for more then 1-2 days. A number of
> computer owners who's system was hacked have advised me they had the
> same problem. Because hackers are using your illegally installed Hosts
> and Servers for posting to the internet, this is why you can't filter or
> kill file them. This information was very apparent to myself and other
> ferret owners who's computer was hacked.

I won't even try to answer that one.

> 8. When you begin to see Usenet remarks made on behalf of your personal
> life which is private information.

That doesn't happen to most people :-)

> 9. Some of your personal files are modified years before they were
> created, HA-HA! Have seen a number of personal files modified 7-8 years
> before they were even created.

I think you may have set your clock wrong, or maybe your laptop ran out of
batteries (it needs them to keep the clock running even when its off)

> 10. You find a number of files hidden/readable only. Hackers seem to
> make their files hidden/readable only.

Most versions of windows hide system files by default

> 11. When you find a number of added information in your boot.ini file
> which relate to a Virtual Private Network . These can be either
> software, hardware or device driver oriented.

Are you insane?

> 12. Under Search for Files and Folders, you do a search on any file
> modified in the past month and you will see files which just don't need
> to be modified or which you don't even recognize. For the newbie, you
> want to focus on the files you don't recognize. Unless your a skilled
> professional, you won't realize which files need to be present or
> modified. To perform the above you will need to see all Hidden Files
> and Folders.

Autoupdate ???

> 13. Select Start, Settings, Control Panel, Network, and if you see one
> AOL adapter and have never used AOL. Two AOL adapters, two TCP/IP, two
> Dial-Up adapters, one or two Virtual Private Network adapters your
> computer could be hacked/owned. A Virtual Private Network is widely
> used by malicious hackers because it can host up to 254 users. "This
> applies to the average internet user who has one modem, one ISP and
> isn't running any FTP, HTTP, NNTP, PROXY, SMTP, SOCKS, SQL, SQUID
> SERVER." My skills working with VPNs is almost zero. One victim
> actually had two VPNs set-up and they were only using a modem to connect
> to the internet.

There will always be one TCP/IP for every adapter it is bound to. If VPN
supported adapters
are installed (which does not mean you have been hacked) then there will be
two of each of
the supported adapters. ie. Dialup Adapter/ Dialup adapter with VPN support,
etc.

> 14. Select Start, Run, type regedit, select File, Export Registry File,
> in the box type say 4-12-02.txt and select save. Then open this file
> with a text editor or word document and you might be shocked to find
> what really is installed on your computer system. Check the bottom of
> this file, hackers love to install a bunch of applications, Hosts and
> Servers files here.
> 15. You have to turn your computer off by the power supply on a some
> what's regular basis.

Defrag you hard drive

> 16. Installing a Network Interface Card will cause problems until the
> hackers configure this device into their Servers or Virtual Private
> Network they setup on your computer.

Or until you bind TCP/IP to it .

> 17. You find your cd-rom drive opens and closes without your
> permission.
> 18. You could hear an annoying beep coming from your system speakers.
> 19. Your windows screen goes horizontal or vertical.
> 20. The screen saver picture changes without your permission.
> 21. On occasion your mouse is out of your control or has an imagination
> of it's own. This could also be caused by a corrupt mouse driver.
> 22. All of a sudden, your speakers decide to play you some music.
> 23. Installing a hardware/software firewall for the first time can
> cause a number of different problems for you to set-up and configure.
> Considering you didn't have these installed from the beginning of your
> computer going on the internet.
> 24. Your firewall logs show alerts at 12:00 then 11:22 then 12:16 and
> back to 11:59.
> 25. If using a dial-up/cable/dsl connection you see a number of pings,
> port 0 to your computer. The reason for these pings is so the hackers
> can see if your computer is active/alive. A system needs to be online
> for the hackers to access these Hosts and Servers. What the hackers
> actually do is port scan the Internet Service Provider Block of
> addresses and find your computer either with file sharing enabled or a
> Backdoor/Trojan.

> 26. If someone is port scanning your system you will see in your
> firewall logs the port assignment isn't in any type of order. You might
> see a probe at port 1,10,9,8,6,12 etc.

if they're port scanning you, its probably not because they want to be your
friend, regardless of the order

> 27. When you find you have to set Zone Alarm firewall on medium instead
> of high settings.

Thats the default

> 28. Once you can view all Files and Folders search for files named
> spool*.*.
> 29. You may find another installed version of your software firewall
> application on your hard drive. You would need to Show all Hidden Files
> and Folders under your Settings, Control Panel, Folder Option and View,
> if using a Windows Platform.

I think its more likely you messed up a previous installation

> 30. When you see too many FTP - port 21, HTTP - port 80, NNTP - port
> 119, Pings - port 0, Proxy - port 80,8080,3128 and SMTP - port 25, port
> probes. Your computer is probably running and illegal, "ftp", "mail and
> news", "proxy", or "web server" which hackers are attempting to access
> for their own personal use.

Do you know how big IIS is? or Win32 Apache? I doubt most people have the
bandwidth to have this downloaded onto their machine in a reasonable time.

> 31. If you don't see your computer node/source IP address on a
> "consistent basis" to the right side of your software firewall log, your
> system is hacked. The hackers are tunneling via your system to attack
> other Networks and Systems so their identity can't be traced.

The firewall log file will depend on the firewall.

> 32. When you perform a traceroute on an IP address and you lose your
> node/source IP address, ISP routers IP. Or when you don't see your node
> IP address at all.

Tracert/ traceroute don't show your ip anyway. They show the first hop ip
first, then the second hop, etc.
They do this by setting the ttl (time to live) on packets to increasing
values.



Relevant Pages

  • Re: HACKERS SECRET WEAPONS
    ... This includes, without limitation, the use of another Internet ... > A. Hackers disable your Daylight Savings Time. ... Your Network Places Icon on the desktop disappears. ... > W. Installing a hardware/software firewall for the first time can cause ...
    (comp.security.misc)
  • Re: HACKERS SECRET WEAPONS
    ... This includes, without limitation, the use of another Internet ... > A. Hackers disable your Daylight Savings Time. ... Your Network Places Icon on the desktop disappears. ... > W. Installing a hardware/software firewall for the first time can cause ...
    (comp.security.firewalls)
  • Re: HACKERS SECRET WEAPONS
    ... This includes, without limitation, the use of another Internet ... > A. Hackers disable your Daylight Savings Time. ... Your Network Places Icon on the desktop disappears. ... > W. Installing a hardware/software firewall for the first time can cause ...
    (alt.computer.security)
  • Re: HACKERS SECRET WEAPONS
    ... This includes, without limitation, the use of another Internet ... > A. Hackers disable your Daylight Savings Time. ... Your Network Places Icon on the desktop disappears. ... > W. Installing a hardware/software firewall for the first time can cause ...
    (microsoft.public.security)
  • Re: HACKERS SECRET WEAPONS
    ... > A. Hackers disable your Daylight Savings Time. ... Your Network Places Icon on the desktop disappears. ... or Internet Explorer you use to ... > W. Installing a hardware/software firewall for the first time can cause ...
    (microsoft.public.security)