Tracing a Hacker
Sometimes, it’s just not enough to simply know that there’s a Trojan or Virus onboard. Sometimes you need to know exactly
why that file is onboard, how it got there - but most importantly, who put it there.
By enumerating the attacker in the same way that they have enumerated the victim, you will be able to see the bigger picture and
establish what you’re up against. But how can you do this? Read on…
Connections make the world go round
The computer world, at any rate. Every single time you open up a website, send an email or upload your webpages into cyberspace,
you are connecting to another machine in order to get the job done. This, of course, presents a major problem, because this simple act
is what allows malicious users to target a machine in the first place.
How do these people find their victim?
Well, first of all, they need to get hold of the victim’s IP Address. Your IP (Internet Protocol) address reveals your point of entry to the
Internet and can be used in many ways to cause your online activities many, many problems. It may not reveal you by name, but it may be
uniquely identifiable and it represents your digital ID while you are online (especially so if you’re on a fixed IP / DSL etc).
With an IP address, a Hacker can find out all sorts of weird and wonderful things about their victim (as well as causing all kinds of other trouble,
the biggest two being Portnukes/Trojans and the dreaded DoS ((Denial of Service)) attack). Some Hackers like to collect IP Addresses like badges,
and like to go back to old targets, messing them around every so often. An IP address is incredibly easy to obtain - until recently, many realtime chat
applications (such as MSN) were goldmines of information. Your IP Address is contained as part of the Header Code on all emails that you send and
webpages that you visit can store all kinds of information about you. A common trick is for the Hacker to go into a Chatroom, paste his supposed website
address all over the place, and when the unsuspecting victim visits, everything about your computer from the operating system to the screen resolution
can be logged…and, of course, the all important IP address. In addition, a simple network-wide port scan will reveal vulnerable target machines, and a
war-dialler will scan thousands of lines for exposed modems that the hacker can exploit.
So now that you know some of the basic dangers, you’re probably wondering how these people connect to a victim’s machine?
Virtual and Physical Ports
Everything that you recieve over the Internet comes as a result of other machines connecting to your computer’s ports. You have two types;
Physical are the holes in the back of your machine, but the important ones are Virtual. These allow transfer of data between your computer and
the outside world, some with allocated functions, some without, but knowing how these work is the first step to discovering who is attacking you;
you simply MUST have a basic knowledge of this, or you won’t get much further.
What the phrases TCP/UDP actually mean
TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which is compressed, then a header is put
on it and it is sent to another computer (UDP stands for User Datagram Protocol). This is how ALL internet transfers occur, by sending packets. The
header in a packet contains the IP address of the one who originally sent you it. Now, your computer comes with an excellent (and free) tool that allows
you to see anything that is connected (or is attempting to connect) to you, although bear in mind that it offers no blocking protection; it simply tells you
what is going on, and that tool is NETSTAT.
Netstat: Your first line of defence
Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your computer. Open up DOS (Start/Programs/MS-DOS
Prompt on most systems), and in the MSDOS Prompt, type:
netstat -a
(make sure you include the space inbetween the “t” and the “a”).
If you’re connected to the Internet when you do this, you should see something like:
Active Connections
Proto Local Address Foreign Address State
TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
Now, “Proto(col)” simply means what kind of data transmission is taking place (TCP or UDP), “Local address” is your computer (and the number next
to it tells you what port you’re connected on), “Foreign Address” is the machine that is connected to you (and what port they’re using), and finally “State”
is simply whether or not a connection is actually established, or whether the machine in question is waiting for a transmission, or timing out etc.
Now, you need to know all of Netstat’s various commands, so type:
netstat ?
You will get something like this:
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.
Have a play around with the various options, but the most important use of these methods is when you combine them. The best command to use is
netstat -an
because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious users…Hostnames can be a little confusing if
you don’t know what you’re doing (although they’re easily understandable, as we shall see later). Also, by doing this, you can also find out what your
own IP address is, which is always useful.
Also,
netstat -b
will tell you what ports are open and what programs are connecting to the internet
Re: Tracing A Hacker Options
Types of Port
It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you
tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in
general, the higher the number used, the more you should be suspicious. Here are the three main types of port:
Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp,
which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it’s usually because of an essential function.
Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP
software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don’t
panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that’s running on them terminates
(for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote
servers). Services like MSN Messenger and ICQ usually run on these Ports.
Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is
indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:
Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.