How to detect hacking?

Ans_wehave
Ans_wehave used Ask the Experts™
on
How do you find out if you are being hacked or are being hacked? Is Hacking something you can monitor and control? Every says do this to prevent hacking and do that (firewall and antivirus) but know one actually tell how hackers get through and how do they stay there?
Can some one please explain what are the tell tail signs of hacking, and what are the steps to monitor and detect hacking. I know preventing is better, but unless you know the methods of a hacker you cannot prevent it.

Can some Security guru guide this new bee to look out for hackers and catch them in the act :) (OK I got a bit carried away) But I want to know how hacking works and how to detect it. I know how to prevent it (Firewall, closed ports, event logs, stealth port, etc.....)
Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Here are a couple of really good links.  I would recommend taking a course if you really want to get good enough to try catching an intruder.

http://www.snort.org/
http://www.sans.org/resources/idfaq/
jakosysadmin

Commented:
"... unless you know the methods of a hacker you cannot prevent it ..." <-- not entirely true. Sure, it would help but there are millions of people around the world applying hacking prevention on their computers to a various degree of success every day while even not being sure what for or why they do it. They're just following the general trend that is considered a Good Practice.
TolomirAdministrator
Top Expert 2005

Commented:
If you need a full protection from malware try (1).

In combination with zonealarm pro (2) +  a decent antivirus like nod32 (3)

You are quite secure from malware (i.e. automated hacking software).

Against real directed hacking attempts you should make sure, you don't have ports open on your computer (4).

Also make sure you have windows update enabled. (5)

Tolomir

(1) www.superantispyware.com 
(2) http://www.zonealarm.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp
(3) http://www.eset.com/products/index.php
(4) https://www.grc.com/x/ne.dll?bh0bkyd2
(5) http://www.microsoft.com/protect/computer/updates/mu.mspx
Top Expert 2007
Commented:
From Grinler's tutorial, "Have I Been Hacked?"
http://www.bleepingcomputer.com/tutorials/tutorial24.html

Almost every remote hack involves leaving a program behind that will allow them to get back into your computer regardless of whether or not you fix the security problem that let them into your computer in the first place. The only time a hacker does not leave something behind, is if they are hacking your computer for specific information or an item.
The programs that they leave behind are IRC clients that they can control from a channel on an IRC Server or a Backdoor/Trojan.

Since these clients or Trojans must listen and wait for connections from the hacker, they must listen on a TCP or UDP port. With that in mind, the tools that I list above come into play. Using Fport or TCPView will allow you to see what TCP/UDP ports are open and listening on your computer and what program is using those ports.

To see what programs are running and are listening on TCP/UDP ports you would use Fport or TCPView.

The utilities that can help detect if you're being hacked:
FPort -- This is a console utility that is run from the command line. When you run it, it will list all listening TCP/UDP ports on your system and the program that is using those ports.
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm

TCPView: Similar to FPort but it shows in graphical interface. This program not only shows listening ports, but also established and pending connect and closing connections.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Process explorer:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml


Commented:
Let's look at it more as an intrusion detection issue rather than a hacking one.  Nearly all of the problems you will find are either related to unpatched/updated software or social 'hacks' where someone talks you out of some secure information.  Make sure everything is patched and updated first.

To check a host for odd traffic use Ethereal (http://www.ethereal.com).  It will identify all traffic going to/from a host or network (with port mirroring on your switch).  It is FREE.

To protect an individual host use Comodo Personal Firewall (http://www.personalfirewall.comodo.com/).  Sorry to chop someone's answer up, but ZoneAlarm and others don't do what Comodo's product will right out of the box.  It is FREE.

samiam41 is right on with snort, it is THE network anomaly detector.  A company I know has spent 10s of thousands of dollars on name brand equipment that runs the two open source applications:

Snort - an enterprise quality IPS/IDS solution that will notify you of traffic anomalies.  It is THE tool for this.  It is FREE.
Nessus - another enterprise quality product that will scan a network looking for holes.  Many 'security' auditing companies merely use nessus to check your network.  You guessed it, FREE.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial