Hey guys.
I have three related questions about defensive measures against a potential hacker/cracker.
(1.) What are some tell-tale signs of a potential invasion?
For example; I'm on Ubuntu 9.10 going about my business when my mouse begins to freak out and a program closes without my administration. What's the likelihood that I may be getting hacked into?
Or another example is I'm running Windows XP SP3 and the system suddenly becomes somewhat unstable and redirection in the browser happens. What's the likelihood that I may be getting hacked into?
(2.) How can you be sure? Is there a command I can run? Would netstat show the hackers IP address?
(3.) Possible countermeasures?

Sorry for the possibly vague and multiple sub-questions. I just can't seem to find any conclusive Google URL giving me something to use in defense. I do know it's not always possible to find out if your getting hacked into or not, and I know that also most of the responsibility and spawned likelihood falls on the end-user. I'm fairly smart on my decisions but I just want to have some solid knowledge to rely upon. Also I apologize for any improper grammar. Thanks LQ!

You prob want to use the Report button to ask the mods to move this to the Security forum.

A few random thoughts:
- One of the best defenses against crackers is to set up a robust software firewall (in Linux, this would be done using iptables). Since the syntax for iptables itself can (as I understand it) be rather difficult to master, you almost certainly want to start with a more accessible front-end, such as ufw or firestarter. On Windows, I'd recommend zonealarm and/or comodo (both free). In either OS, you want to lock down every single incoming port (assuming you're not running a server), so that no one from the outside world can so much as try to connect to your machine. Even if you are running a server, you should lock down every incoming port that you're not using.

- On both OSs, set up and use fairly long, complex passwords for account logins. Crackers love to exploit weak passwords - and if you don't have a login password at all (Windows), you're issuing an open invitation to worms, automated exploit scanners, and crackers of every stripe.

- Also on both OSs, keep all of your software updated at all times. Most avenues of attack exploit security holes in various commonly-used applications (Adobe and IE on the Windows side) - holes which software vendors are constantly trying to patch. The more up-to-date you are in your patching, the fewer opportunities you provide for nasty things to slither onto your machine.

- In Windows, you might try taking a gander at the list of running processes once in a while; malware often manifests itself as bizarrely-named executables that can sometimes be identified on the basis of name alone (malware executables often adopt names which are very similar to names of critical system files/processes, or which imply that the malware itself is in fact part of an anti-malware engine. The people behind these bugs are shameless).

- Generalized instability is never proof positive that your system has been / is being compromised. Heck, on Windows, instability is a core "feature" (sorry; couldn't resist).

There's much more to say on the subject of security, but hopefully these pointers will get you started. If you want to get a feel for the kind of techniques malware writers often use on the windows side, you can take a look at my blog, where I've profiled one common avenue of attack (and devised a strategy for how to deal with it).

1. there might be none if cracker is smart. he will just r00t your server and use it for his own black purposes.
2. you can't be sure in anything, if cracker is smart.
3. that won't work out if cracker is smart and he planted his hand-made rootkit in.

if to really be on topic, i rarely met that smart cracks, so ...
1. again there usually none. linux malware general purpose is to silently do some work: steal passwords/configs/etc and send them somewhere, or it can sniff traffic or do spamming. if someone wants a destruction, he will try to rm -rf ~ probably in his malware. so you will see files are missing or system won't boot correctly.
2. from root, check modification dates on executable files(like ps,who,netstat), run traditional ps aux and check for some unwanted processes, netstat -anp and check for unwanted LISTENing ports or some weird connections. run who to see who is now on this server. might be good place to start.
3. depends. first you need to establish if there is a treat and what kind.

XPSP3 windows odd behavior is usually caused by malware/spyware/adware, I would say on the linux machine it is less likely to be something along those lines. Basically there are two reasons, scratch that three reasons someone writes malware, or tries to compromise your system.

1)To see if they can do it/prove they can do it, because they can. Usually not intent on causing harm or issues, might play innocent pranks.

2)To cause harm or destruction because it's fun and they get enjoyment out of it, they would love to see as many computers down as possible. (includes things like worms, traditional virii)

3)Money, this is broken down into two categories.
a)for lack of a better term the "honest" malware writer, they write software like fake anti-virus or fake malware protection, it gets installed on your system and bugs you until you pay them for the BS software or remove it via other means, they make money through your purchase, and more than likely selling the Credit Cards numbers after.
b)Dirty Rotten Scoundrels, their software will have no sign of installation or almost none, it will be hard to track down, you may only know it exists by anti-virus scans or malware scans, you may not know it exists at all. They will write software that will do everything it can to stay out of your way, while silently snooping on you or laying in wait. These guys are after your identity, your banking info, your CC info, email passwords, you name it. Or alternatively they will have their software laying in wait to be used to attack some other site, or send out spam. It will of course do this only at times you won't notice, like while sleeping when it is on or during the shutdown process, etc...

Ultimately remember in your individual PCs case it is even less likely someone is trying to actively hack into your system unless it is a because I can or to cause destruction reason. When it comes to the financially motivated bad guys they would rather you download something bad and passively have access to your system, why spend time on your system when they could be trying to get into abc company that has thousands of records on people with their SS#, DOB, Full Name, Maybe some CC info.

Understanding these things lets you consider possible counter measures. First if you are all ready infected any counter measures may be moot, at that juncture you may not ever be 100% you are clean even after multiple virus scans from various vendors and malware scans with various products. Even once you have active protection it is not a 100% guarantee but it greatly reduces the chances of infection. Your chances are also reduces running Linux or Unix or Mac, or AIX, or anything other than Windows because less malicious software is written for those platforms due to the small market share compared to Microsoft. Other than running your own spam/virus filtering on mail, standard anti-virus, using a solid firewall, perhaps behind a NAT router with a firewall as well, good practices with usernames and passwords, and maybe hardening your distro (though some of these measure takes a away usability),I am not sure what else you could do on Linux to secure it. On The windows side make sure you follow good password practices, have AV, and use malware protection, my favorite are antimalwarebytes, spybot search and Destroy, and SpywareBlaster by Javacool software.

Moved to Security

Usually it'll involve reconnaissance ranging from shoulder-surfing to network probes. A large portion of crackers will be looking for quick wins and as such will go for what their subnet scan returns. So network recon-wise on a "regular" host you'll see anything thrown at the machine from SSH scans to recent vulns in popular web stack apps to completely clueless full "hey, let's see what's out there" mcrsft targetting scans. Since years the majority of breaches of security also doesn't concern root but whatever the web stack holds they can tack their bot or spam stuff onto. (Dedicated crackers taking on specific jobs like industrial espionage and that kind of well-paying stuff you probably will never see.) Your example is similar to past millennium pranks played on mcrsft users: while noisy, most crackers still will want to go unnoticed. Wiggling your mouse may seem like a nice joke but isn't in their best interest.


There's other fora for issues with POS (aka the Pitiful Operating System) like /General.


Keep your machine updated at all time, harden it properly before attaching it to the 'net and audit it regularly afterwards. See the Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html and the LQ FAQ: Security references at http://rkhunter.wiki.sourceforge.net/SECREF?f=print.


If you mean adjusting your access restrictions (hosts, firewall, fail2ban, et cetera) that's OK but retaliation won't work. A cracker may have been using intermediaries and if you manage to taunt one you don't know what you're in for ;-p

1 members found this post helpful.

Many good suggestions here.

I have two to add though, the first is really only a clarification of what was already covered.

1) if your WinXP system has already been attacked, don't give up on it yet: run not just one, but at least two relatively high quality anti-virus tools (NB: not Norton! Try AVG or Anti-Vira) and two anti-spyware/anti-malware tools (Superantispyware is the one I use regularly) using up-to-date data (sometimes called 'signature') files downloaded from the vendor.

I keep install files for these on a USB stick so that I can resuscitate a system should the need arise.

2) clever though the little buggers are, they usually don't take the extra level of effort required to deal with 3rd-party logging software.

That is, they can rewrite the standard Linux logs to cover their tracks, but they usually don't do this for a third party log. So get one and run it on your Linux system. This will make it much easier to detect them.

The second idea I got from "Maximum Security" by 'Anonymous', published by SAMS. The book is worth reading.

From the problem description I suspect you have not been hacked or cracked. One tool I use frequently to check up on things, from the command prompt on your Linux box type:
last
This will show all the users who logged in and what IP address they originated from.
If the output is to long and steams off your screen simply pipe it to more:
last | more

Hope this helps.