Has Your Computer Been Hacked?
If your system has been hacked, it will probably display one or more of the following.
On Windows machines......
High outgoing network traffic. If you notice an unusually high volume of outgoing network (especially when you computer is idle), it is possible that your computer has been compromised. It may either be used to send spam or used by a network worm which is replicating.
Increased disk activity or suspicious files in the root directories of any drives. After hacking into a system, many hackers run a scan for interesting files containing passwords or logins. Similarly, some worms search the disk for files containing email addresses. If you notice major disk activity when the system is idle and suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
Large number of packets coming from a single address stopped by a personal firewall. After locating a target, hackers usually run automated probing tools which use various exploits to break into the system. If you run a personal firewall and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is, if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific service running on your system.
Your antivirus suddenly reports backdoors or trojans detected. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside your network perimeter.
On Unix machines......
Suspiciously named files in the /tmp folder. Many exploits in Unix rely on creating temporary files in the /tmp standard folder which are not deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as their "home".
Modified system binaries such as login, telnet, ftp, finger, sshd, or ftpd. After breaking into a system, a hacker usually attempts to plant a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are ‘stealthed’ against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
Modified /etc/passwd, /etc/shadow, or system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in later. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
Suspicious services added to /etc/services. Opening a backdoor in Unix is a matter of adding two lines of text. This is accomplished by modifying /etc/services and /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.
©2017 Warren Alford