Professional Documents
Culture Documents
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
NULL BYTE
WONDERHOWTO
GADGET HACKS
NEXT REALITY
INVISIVERSE
DRIVERLESS
NULL BYTE
FOLLOW US
RealTimeProtectionforaMalwareFreeComputer
PreventmalwarefrominfectingyourcomputerwithMalwarebytes.Downloadthetrialandsurfthewebworry
free.
09/30/2014 3:46 PM
t seems like every day now that we see a new headline on a cyber security breach. These headlines usually involve millions of records being
stolen from some large financial institution or retailer. What doesn't reach the headlines are the many individual breaches that happen millions of
times a day, all over the world.
In previous articles, I've shown you how to create stronger passwords and how to prevent your home system from being compromised, but people
are always asking me, "How can I tell if my system has already been hacked?"
WindowsCleanUp(2Mins)
Fast&EasyMakePCRunLikeNew.TakesJust2Minutes!
(Recommended)Gotocleanuppc.defenderpro.com
The answer to that question is not simple. Hacker software has become so sophisticated that it is often hard to detect once it has become
embedded in your system. Although antivirus/anti-malware software can often be effective in keeping your system from being infected, in many
cases, once it has become infected, the software can't detect or remove the infection.
The reason for this is that the best malware embeds itself in your system files and looks and acts like part of your key Windows system files.
Often, it will replace a system file with itself, keeping the same file name and functionality, but adding its own functionality. In this way, it looks
and acts similarly to the necessary system file that your operating system needs to function properly, only the additional functionality gives a
remote hacker access to your system and system resources at their will.
Step 1
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
Run Antivirus Software
1/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
NetworkMonitoringTool
MonitorWAN,LAN,Routers,Servers,Switches,Apps&more.Download
NowGotoopmanager.manageengine.com
Although it's hard for the average consumer to evaluate AV software and every software developers claims to be the best, there is a objective
laboratory that does evaluate the effectiveness of AV software. It's known as the Virus Bulletin and you can see its results here. The chart below is
from their latest results evaluating numerous software. As you can see, AV software is NOT created equal.
In the two systems I will use in this article, both had been through a deep AV scan of the entire hard drive. In both cases, no malware or viruses
were detected, but I was still suspicious of infection.
Step 2
Check Task Manager
The first thing to check when you suspect that you have been hacked is your Windows Task Manager. You can access it by hitting Ctrl+Alt+Del on
your keyboard and selecting Task Manager at the bottom of the menu that pops up, or just type Task Manager in the run line of your Start menu.
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
2/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
NetworkMonitoringTool
MonitorWAN,LAN,Routers,Servers,Switches,Apps&more.Download
NowGotoopmanager.manageengine.com
When you open the Task Manager and click on the "Processes" tab, you should get a window similar to the one below. Note at the bottom the CPU
usage. In this infected machine, the system is sitting idle and CPU usage is spiking near 93%! Obviously, something is going on in this system.
Below, you will see the same Task Manager on an uninfected system. With the system idle, CPU usage is under 10%.
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
3/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
StartPursuingYourCareerwithanOnlineNursingCourse
Areyoutryingtopursueyournursingcareerbutcantmakeittoacollegecampus?SearchYahooforallofyour
onlinenursingcourseoptions.
SPONSOREDBYYahoo
Step 3
Check System Integrity Checker in Windows
Now that we know something is awry on our system, let's delve a bit deeper to see if we can identify it.
Very often, malware will embed itself into the system files which would explain why the AV software couldn't detect or remove it. Microsoft builds
a system integrity checker into Windows called sfc.exe that should be able to test the integrity of these system files. From Microsoft's
documentation, it describes this utility saying:
"System File Checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files."
The idea here is that this tool or utility checks to see whether any changes have been made to the system files and attempts to repair them. Let's
try it out. Open a command prompt by right-clicking and choose Run as Administrator. Then type the following command (make sure to press
Enter afterward).
sfc /scannow
As you can see from the above screenshot, the malware remains hidden even from this tool.
Step 4
Check Network Connections with Netstat
If the malware on our system is to do us any harm, it needs to communicate to the command and control center run by the hacker. Someone,
somewhere, must control it remotely to get it to do what they want and then extract want they want.
Microsoft builds a utility into Windows called netstat. Netstat is designed to identify all connections to your system. Let's try using it to see
whether any unusual connections exist.
Once again, open a command prompt and use the following command.
netstat -ano
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
4/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
Since a piece of malware embedded into the system files can manipulate what the operating system is actually telling us and thereby hide its
presence, this may explain why nothing unusual showed up in netstat. This is one more indication of how recalcitrant some of this malicious
malware can be.
Step 5
Check Network Connections with WireShark
If we can install a third-party software for analyzing the connections to our computer, we may be able to identify the communication to and from
our computer by some malicious entity. The perfect piece of software for this task is called Wireshark.
Wireshark is a free, GUI-based tool that will display all the packets traveling into and out of our computer. In this way, we might be able to
identity that pesky malware that is using up all our CPU cycles and making our system so sluggish.
Since Wireshark is an application and not part of the Windows system, it is less likely to be controlled and manipulated by the malware. You can
download Wireshark here. Once it has been installed, click on you active interface and you should see a screen open like that below.
Wireshark then can capture all the packets traveling to and from your system for later analysis.
The key here is to look for anomalous packets that are not part of your "normal" communication. Of course, it goes without saying that you first
should have an idea of what is "normal."
If you haven't looked at your normal communication, you can then filter packets to only look at a subset of all your communication. As attackers
often use high number ports to evade detection, you can filter for, say ports 1500-60000. If you have malicious communication taking place, it will
likely appear in that port range. Furthermore, let's just look for traffic leaving our system to see whether the malware is "phoning home" on one of
those ports.
We can create a filter in Wireshark by typing it into the Filter window beneath the main menu and icons. Filters in Wireshark are a separate
discipline entirely and beyond the scope of this article, but I will walk you through a simple one for this purpose here.
In this case here, my IP address is 192.168.1.103, so I type:
ip.src ==192.168.1.103
This filter will only show me traffic FROM my system (ip.src). Since I also want to filter for ports above 1500 and below 60000, I can add:
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
5/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
Now click on the Apply button to the right of the filter window to apply this filter to all traffic. When you do so, you will begin to filter for only the
traffic that meets these conditions.
Now the key is to look for unusual traffic here that is not associated with "normal" traffic from your system. This can be challenging. To identify
the malicious traffic, you will need to type the unknown IP addresses that your machine is communicating with (see the IP addresses in the box)
into your browser and check to see whether it is a legitimate website. If not, that traffic should be immediately viewed with some skepticism.
Detecting whether your computer is infected with malware is not necessarily a simple task. Of course, for most, simply relying on antivirus
software is the best and simplest technique. Given that this software is imperfect, some of the techniques outlined here may be effective in
determining whether you have really been hacked or not.
Cover image via Shutterstock
Related
HOW TO
W H I T E H AT H A C K I N G
NEWS
A Hackers Mindset
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
6/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
45 Comments
GHOST_
Just going to add a note here on what I use; as picking an antivirus software can be a somewhat daunting task and it's hard for some to know what they want.
I personally use Trend Micro Titanium Maximum Security, reasons are as follows.
1. It performs definition updates at least a few times a week.
What this means is that it collects updates for known or recently discovered malware quite regularly.
2. Trend Micro has a database of "safe" websites.
What this means is that if you are surfing the web and come across an unknown site; your antivirus software will send the ip address of the unknown site to
Trend Micro. They will then check the website for malicious software.
3. It is proactive software rather than reactive.
One of the biggest reasons I went with this is because it scans items and blocks potential threats coming into your system; other antivirus software are often
reactive in their approach, which means they remove items after infection.
For example, I recently upgraded computers; the old computer had a free AVG software on it and on the new computer I had installed Trend Micro. As I was
transferring data across Trend Micro picked up an ebook with malicious code embedded within it and deleted it immediately. The ebook never even got a chance
to enter my system.
4. Requiring a password to access areas such as settings.
This may seem fairly trivial, but having a password to access the settings means that someone who has compromised your system will find it a lot harder to
disable the antivirus.
Cont...
REPLY
GHOST_
Cont...
5. Paid antivirus software is often much, much better than freeware.
Freeware is quite often malicious itself. There is trusted freeware available of course, but if you're using something like free AVG please upgrade to a paid version.
Free AVG will protect your system files such as the registry, but the user directories will remain unchecked and this is quite often where malware is introduced
into the system.
A lot of people don't want to pay for antivirus as they find the price too steep, however, what they fail to realise is that they're purchasing multi-licence copies. It
costs AUD$129.95 for Trend Micro on up to 5 devices for 12 months, devices includes PC, Mac, all smartphones, and tablets.
129.95 / 12 = 10.83 rounded up
10.83 / 5 = 2.17 rounded up
That means it's costing you AUD$2.17 per device, per month for protection. Once you break it down like that, the price doesn't seem terribly steep.
Now I'm not saying Trend Micro is the be all and end all of antivirus software, but those are my reasons for choosing one software over many others, I may be a
bit off on some points and please someone correct me if I am. But there you have it.
ghost_
REPLY
STEVE BEKENSHTEIN
2 YEARS AGO
Hi bro,
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
7/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
If I just checked my system with the cpu in the task manager, is it enough or do I need to check more things like connections?
What does it need tou show if my system infected or not bro?
In addition, do you have facebook or skype, you really help me,
thanks! (:
REPLY
OCCUPYTHEWEB
2 YEARS AGO
Steve:
There is no single value to indicate your system is compromised. It depends upon the software injected to your system, but if you see CPU useage over 10% when
the system is idle, I would be suspicious.
OTW
REPLY
STEVE BEKENSHTEIN
2 YEARS AGO
REPLY
OCCUPYTHEWEB
2 YEARS AGO
3% is not enough to indicate a compromise. You still might be compromised, but that reading alone does not indicate anything to worry about.
I do have skype and facebook, but I only take questions in this forum here at wonderhowto.com
REPLY
D0P3
1 YEAR AGO
REPLY
STEVE BEKENSHTEIN
2 YEARS AGO
OCCUPYTHEWEB
2 YEARS AGO
-1
4
HIDDEN
Steve:
Did you read this tutorial?
OTW
P.S. I'm not your bro. I'm your teacher. Address me with respect or don't address me at all.
REPLY
GREY W0LF
1 YEAR AGO
new to the IT industry. I am destined to become a master ethical hacker and would like to know if electronic circuits training is a good foundational place to
start? Is being a electronics technician valued today, and can the knowledge benefit a hacker?
REPLY
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
8/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
OCCUPYTHEWEB
1 YEAR AGO
Demetrius:
I would not spend a lot of time studying electronic circuits if you want to be a hacker.
OTW
REPLY
GREY W0LF
1 YEAR AGO
What if I wanted to hack other electronics like tv's, streetlight's, refrigerator's,atm and machines, and car's.
REPLY
OCCUPYTHEWEB
1 YEAR AGO
Unless you were physically hacking them, the circuits would not help at all.
Here we are interested in hacking the software that controls the device. The hardware is irrelevant.
REPLY
GREY W0LF
1 YEAR AGO
So when would the knowledge of circuits benefit a hacker/individual seeking supreme technological power in today's world?
REPLY
GHOST_
REPLY
CYBERHITCHHIKER
1 YEAR AGO
I think you should reverse broadcom chips since you could probably hack hardware better than anyone here.
REPLY
STEVE BEKENSHTEIN
2 YEARS AGO
OCCUPYTHEWEB
2 YEARS AGO
-2
1
HIDDEN
REPLY
STEVE BEKENSHTEIN
2 YEARS AGO
IWANNABE
2 YEARS AGO
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
-5
1
HIDDEN
9/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
Hello Master.
Good post. What you do is great.
I've been following your post a few months ago.
REPLY
GREENLEMON
1 YEAR AGO
Oh no! I got two listeners. Am I right? How can I get rid of them?
REPLY
AM PHIBIAN
1 YEAR AGO
Hello Sir,
Thanks for an informative article. I was wondering how likely it is that a Unix/Linux system gets compromised? Or is it just because of the nature of distribution
that Windows is just more popular to get attacked?
REPLY
OCCUPYTHEWEB
1 YEAR AGO
In some ways, Linux and the Mac OS are easier to hack. Most people using those OS's don't use firewalls or AV thinking they are safe making it much easier for
me and other hackers.
If I am developing a hack, I'm going to invest my time and money on the OS that is used in over 90% of computers, though.
REPLY
-IMX-
1 YEAR AGO
As email acc got hacked, is there any way to receive hackers ip?
REPLY
DREW REGAMALD
1 YEAR AGO
Hi I have a question im being surveillanced by people no not police they use cameras to film me and have hacked my phone several times to locate me but also
possibly to see my personal info I know they definitely are as I put my sim in an old Pre smart phone like old red brick Nokia and lose them within an hour sure
enough they call on a private num once phone call is answered they wait silent no noise nothing twenty thirty sec the have a lock on my location call ends then
within ten min they are there following me so hear is my question im to scared to even think about turning on my home computer or giving it internet conection or
laptops or smart phone (im using my phone at moment but have it wiped with absolutely no personal info on it at all but think they are tracking me through my
cell tower pings or gps?) as im unsure if there watching so what could I do? and is there some type of program I could run on my devices to either stop/block them
or to hack them back? Possible or not im not sure and no im not crazy I am 200% sure and fuck there good side note no im not a criminal either it's a long
complicated story any advice would be greatly appreciated thank you
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
10/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
REPLY
OCCUPYTHEWEB
1 YEAR AGO
REPLY
DREW REGAMALD
Thanks ive been told to do that by some friend's I asked for advice but I need solid proof I know there private investigators as im involved in a big legal dispute
worth half a mil so I know why they are doing it but to prove it is a different story as they will just deny it even happened as hacking my phone to find my
location is illegal only police are allowed to do that and then they have to have a warrant. they have even moved into a house across the street from me and film
me I know its an invasion of privacy but was not sure on what to do as Im not to tech savy but ive been documenting it so to produce it when I get to court but
yea ill give the police a call see what they say I was just wondering if there was a type of program to stop them from hacking me or discovering all my personal
information thanks for your reply
REPLY
CYBERHITCHHIKER
1 YEAR AGO
Sounds like a private investigator at work or some agent working for an entity.
You have any insurance claims pending or current? Are you injured in some way?
If no to both seems pretty suspect to me and why not just walk up and ask them what they are doing?
If you are being actively traced by cell towers it's not a P.I and I would think pretty hard about anything you did to pick up that rookie tail work, if its even that.
REPLY
CYBERHITCHHIKER
1 YEAR AGO
REPLY
DREW REGAMALD
Yea thanks i am involved in a negligence claim and have multiple injuries I see this site have a lot of articles on hacking I wasn't really wanting to become an
experienced hacker just want to see if i could run a program on my devices to stop them but im going to have a good read up on your tutorials might help me a bit.
I cant just approach them as by there stupid laws I would be doing the wrong thing and claim would be denied but it sux they can break the law just to find any
way out of paying a claim. And I know they have pi following me and they definitely are tracking me through my phone see I live In the country and constantly
take them for a drive through state forests and they hate it ive gone from location to location letting them find me just to prove to my family that its them. They
finally believe me now lol but as I lose them in the forest that's why they hack/ trace my phone to find me again
REPLY
CYBERHITCHHIKER
1 YEAR AGO
REPLY
DREW REGAMALD
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
11/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
Yep will do thanks for asking no im not ok at all but ahwell that's another story possibly going to have to have my disc fused in spine and im only 28 plus more.
yea I understand that none of what we've discussed is legal advice ill definitely keep the lawyer up to date but he is saying I've already won my case before it
even hits court yea its civil done it at work employer breached at least 5 different ohs laws and insurance already accepted full liability im not sure on the laws of
a pi following me but I know if there tracing my location thru my phone its highly illegal ivd been told I can prove they have been following me but to prove they
have hacked into my comp or phone is a lot harder would much prefer just to stop them or poss hack back and give them a virus or one of them trogjan worm
things lol cause them a headache but all good thanks for your replies I really appreciate it take it easy cheers drew
REPLY
HAROLD OBER
REPLY
KENZIE KAY
1 YEAR AGO
Hi, thank you for your article. I am a little bit computer literate, so please bare with an old gal. I have a renter in my home who got hacked and think they may
have gotten into my computer as well. Since then, I have added a password to my router (instead of the generic) and it is also a secure network. I have set up a
guest connection to router for renters and have changed all those passwords also - this guest connection was set up prior to this renter. Computer runs ok but
internet seems sluggish at times. I have Norton 360 and also run Glary Utilities and Malwarebytes. I am trying to follow your steps but unfortunately being a
layman I am not sure what to look for. I was completely lost at Wireshark and did not attempt. BUT - when I ran the sfc/scannow it came back saying: Windows
Resource Protection found corrupt files but was unable to fix them. It told me where to find the log, but of course after looking at the log, it is greek to me also. Do
you have any advice on how I should proceed? Oh, not sure if this is anything or not. But I also know every day or so a DOS screen randomly opens and quickly
closes. The DOS screen size is less than a 1/4 size of my 15" laptop screen when it opens. Is that an indication of being hacked also? I never in my life of having
computers had that happen until this renter moved in 2 months ago. Please advise in layman terms if you please and/or have the patience. I really appreciate your
article. What I could follow anyway. Very interesting. Thank you.
REPLY
PAUL
1 YEAR AGO
What should we need to do if we found out with wireshark that someone has hacked the computer?
REPLY
PAUL
1 YEAR AGO
Also is there any way to check in mac whether my computer has been hacked?
REPLY
VOIDX
1 YEAR AGO
OTW,
lets say I suspect one of my computers of having malware (99% disk and 70% RAM used during idle)
Can I run WireShark from Kali from one of my other computers to see what kind of packets the suspected computer is sending?
Also, in your article you wrote "packets between 1500 and 60000"
Why cap at 60000? is that the maximum port amount?
(I know 1500 is probably because everything under 1024 is taken, and anything close to 1024 will be found easily)
REPLY
TRIPHAT
1 YEAR AGO
You actually should run wireshark on another machine, as your primary might have a rootkit to hide network activity, which you wouldn't see. If you cross the
data between local sniffing and remote sniffing, and see discrepancies, you may actually have one.
Also, ports go up to 65535, and all ports below 1024 require root privilege on linux to run, but on windows this doesn't apply, it's just a convention, it's not that
they are all taken.
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
12/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
Anyway, wireshark will tell you what is the common port used for, but really port usage is totally arbitrary.. you can run a webserver on port 65000 or your
malware can contact his irc C&C server on port 65432.
REPLY
MARTIN TSVETKOV
1 YEAR AGO
REPLY
DAZ DEBORAH ZELEK
1 YEAR AGO
I went to follow your instructions for running a scan in command prompt Well it says I am not the "Administrator". Hmmm, how in the heck can that happen? I
had people call on the phone and say my computer has been hacked by Russia and China. Ok, how in the hell do you know that? They showed somethngs through
commnd prompt. So,I want to try this scan of yours and it won't let me.
REPLY
D LAGEL
1 YEAR AGO
When people -call- you to tell you are hacked.... You are probably the victim of a ongoing attempt to hack you; there is no way in the world that the phone call
you received is legitimate.
A quick thing you can try is is open the start search menu, type CMD, then right-click on it and select "Run as Administrator". If that does not allow you to run it;
my (noobish) guess is that something is wrong.
"They showed you something through command prompt''. What exactly did they show? How did they show you? Did they tell you to type some commands? Or
did they use your computer remotely?
What OS are you running? Did the callers say who they are?
REPLY
HANIF TARIQ BALLARD
1 YEAR AGO
I'm stupid when it comes to this stuff. I panicked and called and let someone take control of my computer. He did use command prompt remotely Team Viewer.
Same thing happened to my grand mother last year. He showed me ip addresses. Wasn't specific. Just alluding to the fact that my computer was being hacked.
Saying that the other ip addresses should all have 0'. Then he tried to sell me stuff. But I'm poor and in college. I have no info on the computer. But I'd like to use it
next semester. So I'm resetting/wiping the hard drive.
REPLY
MARIANO TENREIRO
10 MONTHS AGO
REPLY
IZRAUL HIDASHI
2 MONTHS AGO
Half of these questions wouldn't even need to be asked if people actually tried reading and understanding. And some of them are just ... well,... ignorant.
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
13/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
"How do I hack my fridge, t.v., oven and microwave"... Really? Maybe the couch and toilet too?
sigh
REPLY
IZRAUL HIDASHI
2 MONTHS AGO
The first thing people should do if using "Win" is turn off the auto and remote services, and then go from there. I pretty much disable anything without
dependencies. I find a lot of crap is a result of MS and McAfee.
REPLY
LOGIN TO COMMENT
HOT
LATEST
HOW TO
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
14/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
Experiencethe
UltimateProtection
AgainstMalware
For14days,
Malwarebyteswillkeep
malwarefrominfecting
yourcomputerforfree.
Afterthat,we'vestillgot
yourback.Clickhereto
tryitout!
SPONSOREDBYMalwarebytes
HOW TO
HOW TO
HOW TO
HOW TO
HOW TO
15/16
1/22/2017
AdvicefromaRealHacker:HowtoKnowifYou'veBeenHackedNullByte
HOW TO
http://nullbyte.wonderhowto.com/howto/advicefromrealhackerknowifyouvebeenhacked0157336/
16/16