A lot of activity towards Win2000 IIS in DMZ on port 80.
Besides regular traffic, I have scanning on the computer towards standard settings like script folders, files etc.
I have standard IIS logging and a eventlog that indicates unautorised attacks from Spain and USA.
How might i track the hacker on my systems?
Honeypot is ok, but I need othe systems that is free.
How may I deside if I have been hacked or not?
I have only opened for port 80 to the DMZ.
Netstat commands shows nothing that is not legal.
I'm concerned for any rootkits, keyloggers, backdoors etc..
I have scanned, and not findings by Norton, Norman, Housecall or Panda,have also scanned with pest patrol, nothing found, but when thinking of what a "binder" could do.
I'm concerned.. Any tips?
Please help..
Trond
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Get HijackThis... http://www.spywareinfo.com
Run it and post the log here.
I'm guessing if the traffic is incoming, that it's other infected computers trying to infect you.
If you're patched on IIS, IE, and Windows, you should be safe, but post your HiJackThis log here anyway, to make sure. I'll check it out for ya.
You could scan yourself with the tools most hackers are using, and see if your vulnerable
Nessus
and
GFI Languard are very popular.
McAfee has definitions beyond what Norton has, it can pick up keyloggers and password crackers, where notron and many others do not.
Even though port 80 is all that is open, M$ IIS and M$ SQL are the top 2 exploits on the net... so be sure your patched up with all M$ patches and updates, and run these tools to help clamp down on IIS. http://www.microsoft.com/d
IP spoofing, works, but not in a way that hackers would like. You can spoof where your coming from, however if you do, nothing get's returned. What hackers do though that works better, is hack one PC, then hack another, and another, each time jumping from the new hacked pc the the next, this makes the tracks a little harder to trace, and allows data to get back to the hacker to use. Most DOS can use the benefit of spoofed source address, since you don't care to get the info back, you just want to flood...
Back to your question... there are ways to tell, usually by your servers behaving weirdly, or files out of place or missing, your web page being over written etc...
A tool like TDS3 is very good at heuristics and finding malicious programs or scripts. Anti-Virus software such as McAfee AV is great... but nothing beats a self audit with all the latest tools and tricks. I recommend the "Hacking Exposed" Series of books... not sure if they are translated into other languages yet though...
http://nsa2.www.conxion.co
-rich
You might want to check out Microsoft Knowledge Base Q49500 at http://support.microsoft.c
A good tool maybe worth looking into is called The Cleaner by MooSoft Development (http://www.moosoft.com/cl
When it comes to using netstat, although it may be a decent tool to use in determing what is connected to your computer, its weakness comes in that it doesn't really tell you what is really listening on the ports. A prominent group called Foundstone (http://www.foundstone.com
Example with netstat:
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 192.168.1.216:139 0.0.0.0:0 LISTENING
...
UDP 0.0.0.0:31337 *:*
In this example, something is connected to port 31337, which is actually the popular trojan called Back Orifice. But, a typical user would not know that if (s)he didn't know what port Back Orifice connects on.
Example with fport:
PID NAME TYPE PORT
--------------------------
222 IEXPLORE UDP 1033
224 OUTLOOK UDP 1107
...
245 MAPISP32 UDP 0
266 nc TCP 2222
Through using a tool like fport in this example, we can see that someone is listening on your system using a popular hacker tool called netcat on port 2222, which would have only been identified by just a port number using netstat.
When it comes to checking backdoor port numbers, I would recommend checking these sites out:
http://www.tlsecurity.net/
http://www.commodon.com/th
http://www.chebucto.ns.ca/
Another thing that might be good to check out is checking your Process List after hitting Ctrl Alt Del, and seeing if tools like nc, WINVNC.exe, etc. are running on your computer. Hope this helps and good luck.
Assuming you're using a router or some other 'hardware' firewall, I would reccommend downloading and installing a software firewall on the "DMZ" computer.
Good ones can be found at http://www.zonelabs.com (ZoneAlarm), http://www.sygate.com (Sygate's Personal Firewall), or http://www.kerio.com (Kerio's Personal Firewall). However, if your computer is part of a commercial network, you will need to purchase their "Pro" versions. This way, you're keeping your setup legal. And, in some cases, the Pro version is better anyhow.. It has more features and better tech support than their 'free' versions.
Personally, I've used all three. If you're paranoid about what's happening on your computer, then Kerio is for you.. It monitors and applies security settings to internet connections, network connections, and even programs on your computer (at it's strongest settings). If you want simple "Set it and Forget it" then Zone Alarm is probably the one for you.. However, Sygate is fairly close to Zone Alarm in the "Set it and Forget It" concept. I can't reccommend one over another, because I like all three.. And, each has it's advantages depending on the situation I am using it in.
The only software-based firewall I won't reccommend at all is "Black Ice".. I've seen too many security issues concerning this firewall, and Not enough fixes for them.. It's almost like not having one at all.
Finally, is there a specific reason the computer is in a DMZ state? Is it possible to configure your hardware firewall to allow you to open the ports you need, without having to set the computer outside of the safety net it provides? That's another option to look into.
Hope this helps you.
Patrick.
Business Accounts
Answer for Membership
by: Cyber-DudePosted on 2004-06-10 at 13:03:37ID: 11283309
Trond,
Had the same problem a couple a years ago... Todays hackers are using IP spoofing in-order to mimic true IP from other areas of the world and you wont be able to track them without the propper knoledge...
You mentioned DMZ... which means you are using Firewall... which Firewall is that?
Cyber