Sign in to follow this  
Followers 0
kobaltin

How to trace a hacker?

20 posts in this topic

I suspect, or rather I'm pretty sure, that someone controls my computer. I need to find out who's doing that, somehow find him/her. Because I'm unfamiliar with this topic at all, I try to find someone experienced, who would be able to help me with this. I'd be very grateful for any progress, becoming really hopeless..

Besides I would like to say that I can learn new things pretty well and if someone capable is willing to help, I believe that you will not be bothered with idiocy too much.

0

Share this post


Link to post
Share on other sites

It is hard to say without more information such as network topology, how many systems have been compromised, and what operating systems have been compromised.

The first thing I'd do is start capturing traffic on the lan/wlan, looking for traffic going to a machine that shouldn't be on the WLAN or suspicious traffic going out into the Internet. For example, a lot of traffic going to a Chinese IP address from port 1337 would be a dead giveaway. From there you could use tools such as TCP View, Autoruns, and Process Explorer to look for remote connections, where malware could be starting from, and current processes that could be malware.

Truthfully, if I knew for certain a box had been compromised, and showed sophistication on the part of the attacker, I'd format/reinstall and change all passwords. There is always the chance of a 0-day rootkit and other stuff that may evade detection. A lot of people will probably disagree with this method, but I'd rather have the feeling of absolutely knowing my box is secure.

EDIT: I'd also give the system a thorough scan for malware and viri. Bitdefender has a decent online virus scanner, and a trial of Nod32 can be picked up from eset.com with a fully functional 30-day trial. It might also be a good idea to use a hostbased firewall as well. Kerio Firewall, is may favorite for Windows and the trial version is (or at least was) unlimited, but with a nag screen, and disabled advanced features.

Edited by tekio
0

Share this post


Link to post
Share on other sites

It is hard to say without more information such as network topology, how many systems have been compromised, and what operating systems have been compromised.

The first thing I'd do is start capturing traffic on the lan/wlan, looking for traffic going to a machine that shouldn't be on the WLAN or suspicious traffic going out into the Internet. For example, a lot of traffic going to a Chinese IP address from port 1337 would be a dead giveaway. From there you could use tools such as TCP View, Autoruns, and Process Explorer to look for remote connections, where malware could be starting from, and current processes that could be malware.

Truthfully, if I knew for certain a box had been compromised, and showed sophistication on the part of the attacker, I'd format/reinstall and change all passwords. There is always the chance of a 0-day rootkit and other stuff that may evade detection. A lot of people will probably disagree with this method, but I'd rather have the feeling of absolutely knowing my box is secure.

EDIT: I'd also give the system a thorough scan for malware and viri. Bitdefender has a decent online virus scanner, and a trial of Nod32 can be picked up from eset.com with a fully functional 30-day trial. It might also be a good idea to use a hostbased firewall as well. Kerio Firewall, is may favorite for Windows and the trial version is (or at least was) unlimited, but with a nag screen, and disabled advanced features.

yea.. thats usually the only fool proof sure-fire way to ensure that all traces have been removed.. a format and clean install...

0

Share this post


Link to post
Share on other sites

At first I apologise for my slowness, I can't speak english very well and also I wrote to some other forums with this topic. Well, I'll explain closely my suspicion to make it clearer that I'm not hunting for the fiction. Quite a lot of weird things happens on my pcs, so I don't mention everything. Fact that all just CAN be interpreted as a coincidence makes me crazy. So for example:

1. One time my computer was spontaneously rebooting several times a day. Without apparent reason it stopped itself again.

2. I was looking for a job in one city and every time I opened any offer (on a different sites) in that place, the browser crashed. Other sites worked fine.

3. While communicating through ICQ it often switches to different language on keyboard, so I can't write correctly. It happens mostly when talking to one person and at times when it's somehow sharpened between us. This never happened to me before and I use icq for cca 10 years..

4. One day the computer failed to start. I decreased overclocking, which ran steadily before, and it works again.

5. Once I played the game and every time I made a mistake of inattention (like missed the turn onto the road or died), the game crashed. It was happening many times consecutively, so I had to stop play. And again, it works fine now without apparent reason.

etc....

I installed a new OS, but these anomalies are still here. And it happens on my both pcs in all three systems:

1. board asus a7n8x-x, amd athlonXP 2500+, radeon 9800, seagate hdd, os XP, antivir NOD32, firewall netlimiter2

2. DFI NF4 Infinity, amd opteron 144, radeon hd4850, 2x hdd seagate, hdd samsung, os XP + 7, antivir a firewall in XP like above and in 7 without anything.

My home network consists of adsl router and switch.

I've already tried something:

1) "netstat -no" in Command Line gives me this:

active connections

Prot... local address.... foreing address.... state.... PID

TCP.... 10.0.0.4:49577... 205.188.0.60:5190.. connected 2344

TCP.... 10.0.0.4:49579... 205.188.0.77:5190.. connected 2344

TCP.... 127.0.0.1:49398.. 127.0.0.1:49399.... connected 1888

TCP.... 127.0.0.1:49399.. 127.0.0.1:49398.... connected 1888

TCP.... 127.0.0.1:49400.. 127.0.0.1:49401.... connected 1888

TCP.... 127.0.0.1:49401.. 127.0.0.1:49400.... connected 1888

I dont have listed PIDs (2344 and 1888) in task manager, what does it mean? There are only some different numbers.

2) NOD32 found some infiltrations, but only in files that I have i my pc for years and it didnt do any problems before.

Thx for your advices.

Edited by kobaltin
0

Share this post


Link to post
Share on other sites

First, some of the symptoms you described sound a lot like a hardware issue. You can try testing the memory with memtest86 and cleaning all the contacts and sockets of the CPU and RAM with a can of compressed air. Also, make sure you've got the most current video drivers from ATI. Other than that, I could only suggest looking at the power supply and increasing the voltage to stabilize the oc (If you don't know how, or don't know the voltage specs for your CPU don't play with it; you could easily fry the CPU. Or just don't oc the thing.). The easiest thing to do is take out all the RAM, and test each piece individually, and swap out various other hardware. Hardware problems can easily start "all of a sudden" and can be a pain to diagnose without the right equipment or secondary pieces of hardware to swap out. To test if the oveclock was stable I'd run prime95 for at least 24hrs (really a few days is better, any errors/kernel panics on an oc'd system are unacceptable).

What are those two connections to 205.188.0.60 (they are going to an IP from AOL)? If you're not sure find out what process is making them and do some research to find out if they are valid. The sysinternals tools I mentioned are more robust than netstat and Task Manager. What you want to do is find the executable responsible for the running processes/connections and make sure it is not malware. Using TCP View, the path to the executable, as well as the PID are shown. To start, I suggest checking all Windows Protected Files. From the command line type sfc /scannow, and you'll need to insert your Windows XP install CD. From there you can validate each executable making connections to the Internet by hand, using google. First google the file name to see what you can find. If that is no help determine what the file is doing, and why it needs to make outbound, or accept incoming connections.

You mentioned there were some infections found? Was this before or after you reinstalled the operating system? If after, you're probably installing the same infected software. or your install CD has been compromised (run the Validation Check). What infections were found? Something being there for years with no seen effects does not equal secure. It is totally possible for malware to lay dormant for any specified amount of time, then perform malicious actions at any specified date or time. Your system was obviously compromised at one point. Do some research to figure out exactly what the infection does to your system.

0

Share this post


Link to post
Share on other sites

Yes, I know it all just could be hw problem. The problem is that now I dont have any serious problems, only little one with switching keybord languages (it changes language only for icq client - I use QIP) All bestialities disappeared OF ITSELF. And there was more of them:

6. It was happening me, that my lcd turned off and on again during one second. And I dont mean system or application start, just without any reason. For example I was writing some text and suddenly "flash".. It was several time a day and it stopped of itself so now my lcds works fine.

7. Whole system sometimes freezes with loud screech sound from speakers. And again, it wasnt caused by starting any application or anything...but for example during watching movie.

8. Rather I won't go on with it in order to not be insane person to you...Maybe later.

Anomalies were happening on my both pcs. Its very small probability to happening this everywhere - on 2 different pcs with 3 operating systems together..

I have overclocked only one pc. And spontaneous restarts were on one with default setup. If it would be coused by high temperatures, pc wouldnt boot immediately after that, becouse it would need some time to cool down. And in my case it booted directly after that. If it would coused by disconnecting of system hdd by wrong cable or contact, the system would try to read this hdd and then it would crash with blue screen. But this is not my case. To be sure that my overclocked cpu is cooled properly, I took an extra fan and put it on cpu cooler. It didnt have any influence to problems, it didnt stop by this.

The connection you mentioned is from my icq client (qip), i found it with GMER. I also ran scan with this program and it didnt find any hidden process or other things, except one - "dumpcap.exe" which belongs to Wireshark - I installed it few days ago so it has no affect on my problems. I will try scan with command sfc /scannow tomorrow. Also I ran hijackthis:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:25:35, on 24.10.2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode

Running processes:
H:\Windows\Explorer.EXE
H:\Windows\system32\ctfmon.exe
H:\Program Files\totalcmd\TOTALCMD.EXE
H:\Users\Petr\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [AtiTrayTools] "H:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Infium] "H:\Program Files\QIP 2010\qip.exe" /autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] H:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] H:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: SpeedFan.lnk = H:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O23 - Service: AMD External Events Utility - AMD - H:\Windows\system32\atiesrxx.exe
O23 - Service: BWMeter Connections Service (BWMeterConSvc) - Unknown owner - H:\Program Files\BWMeter\BWMeterConSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - H:\Program Files\WinPcap\rpcapd.exe
O23 - Service: @H:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - H:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - H:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 3895 bytes

Paradox in hijackthis about using ATI Tray Tools and having Nvidia drivers is that I now try to use my older graphics gf6200 to find out if it has any affect.

I didnt reinstall any system, I installed new win7 on formated hdd (old systems are XP). These infiltrations were found on other hdds in my pc, its not in system files. I dont exactly remember what infections it were, i think some trojans in warez programs that I used before. Btw. this virus inspection was runnig over 4 hours with 100% cpu load and everything was fine. Also I can run Prime95 for half a day without any problems. But as you mentioned, to be sure its better running it for longer. I will try it.

Edited by kobaltin
0

Share this post


Link to post
Share on other sites
i think some trojans in warez programs that I used before

I think you've diagnosed the problem.

0

Share this post


Link to post
Share on other sites

First you need to get a big peice of paper. Then you should lay the hacker down on it. Get a writing utensil and follow the outline of the hacker on the paper. Try not to move the hacker while you are tracing. When you have gone all the way around the perimeter, get the hacker to stand up. You should have the outline left behind on the paper. You have now traced a hacker.

0

Share this post


Link to post
Share on other sites

I think nobody diagnosed the problem. U laughed me, so there is reason to laugh me more. I think now could be right time to describe my other weird problems, I dont hesitate anymore.. I dont know whether I gained enough trust from all people here, but I dont care.

I absolutely understand, that from view of person who doesnt sit around it, is this all bullshit.

I dont know how its technically possible, but even more things happened to me. Like this: in one time period for a few weeks, my computer reacted to ON or OFF the desk lamp and ON or OFF the speakers. I had just connected two monitors to one pc and always in the evening (without exception every night), when I needed to use headphone speakers and switched off the loud ones, my both monitors turned off (light indicator on both turned from green to orange), the computer froze (caps lock light indicator on the keyboard didnt react) and the fans inside the case spun to the max - Gigabyte HD4850 have small fan and at max speed it yell very loudly. The pc was in this situation until I reseted it. Then after booting I turned on the desk lamp and the same thing AGAIN. Before I went to sleep I turned off this lamp and if it was before turning off my pc, it happened AGAIN! Then in the morning, when I turned on the speaker, it happened again.. After that, when I tried experimentally switch on the lamp (which is pretty absurd when it was light), nothing happened. So I off the lamp and AGAIN! Together I guess that this had to happen for at least 30 times, rather more ... Now it is alright for a few weeks and it doesnt happen, it stopped spontaneously.

These anomalies are becoming on my newer pc even with disconnected network cable, on older pc I didnt verify it becouse Im not here so often. So it must be somehow over the hardware. Components that I bought later are the 4850 graphics, 1GB ram and Samsung hdd. So it must be in some of those components, or somebody did something in my pc during my absence without me knowing. I tried to visually check the graphics against pics from the net and I didnt find any difference compared to them. But Im not saying that it was absolutely 100% control, I could miss something..

The desk lamp which caused "blackout of monitors + spining fans + freezing" is 11W fluor tube and I doubt that this power consumption could overload my power line.. and it was happening also while OFF the lamp - unloading. Furthermore I normally have running my both pcs on that power line with no problems. During these desk lamp problems I had runnnig only one pc. I think if it would be coused by overloading, it would blow a fuse. Now when I try to repeat it by taking a lamp to the monitor with fluor tube or with transformer, nothing happens. And again, I didnt do any changes with anything, it simply stopped OF ITSELF.

I never had these problems before until now. I dont detect this anywhere else, only with my pcs. We dont have any problmes with elctricity, housewiring etc. Now everything works fine without intervention. Im from czech republic and there arent any variations in voltage, nobody has this problems like me.

If anyone has any rational and reasonable question to the point, feel free to ask..

Now I dont mind if there wont be at least one who wont judge me as sick insane fool with delusions... ;)

0

Share this post


Link to post
Share on other sites

Go pester some other haxors.

0

Share this post


Link to post
Share on other sites

Go pester some other haxors.

You think I made-up everything? Its NOT my nature, I act like this, becouse Im desperate... And Im already pestering at many other places.

I truly dont do this for fun and still I would be glad if someone could help me. Thanks everyone for honest good will, that you expressed to me.

0

Share this post


Link to post
Share on other sites

@kobaltin

By the sounds of it your house has an infestation of electric elves.

These semi mythical creatures, similar to Rent Fairies, transfer from device to device via the electricity cables and can be incredibly difficult to exterminate, sometimes, to protect the power grid, it has been known for particularly bad infestations to have to be completely disconnected and the entire house rewired.

They can usually be found browsing 4chan on /b or talking about ebaumsworld on encyclopedia dramatica.

If they are currently residing in your PC, you may save the house by simply taking a sledge hammer to it, if you can trap them in the old Hard drives you may just get away with putting them in the microwave. (Electric elves are vulnerable to microwaves, they transfer into the air via the microwaves and then when the microwaves stop they have nowhere to go and simply die in a bright spark of plasma, which can be quite beautiful.)

-1

Share this post


Link to post
Share on other sites

Is your power of terrible quality? I mean, is your power really flaky, on and off and cuts out a lot? Your power might not be consistant enough for your computer to be happy. What are the specs on the circuit connected to your machine.

it sounds very unlikely that this is a "hacker" doing this. More likely it is a simpler explanation. Like either you aren't telling the complete truth, or you don't understand what you are seeing. Check your power condition. Also check your power supply condition.

0

Share this post


Link to post
Share on other sites

@mSparks

"Thanks" for spam

afaik electric elves are indifferent to precooked meats.

There is some evidence they like heated candle wax however

Maybe worth trying dripping some on your keyboard.

Edited by mSparks
-1

Share this post


Link to post
Share on other sites

Is your power of terrible quality? I mean, is your power really flaky, on and off and cuts out a lot? Your power might not be consistant enough for your computer to be happy. What are the specs on the circuit connected to your machine.

it sounds very unlikely that this is a "hacker" doing this. More likely it is a simpler explanation. Like either you aren't telling the complete truth, or you don't understand what you are seeing. Check your power condition. Also check your power supply condition.

I dont think I have power of terrible quality, it worked fine for years. I tried to run one pc from two power supplies:

Fortron 350W: board (cpu opteron 144 @2.43GHz + graphics hd4850 frome PCIe slot)

EC 300X1 300w: additional supply for graphics + 3xhdd (seagate 120GB + 160GB, samsung 1TB)

Even with this linkage I had subscribed problems with black out of two monitors + freezing + spinning fans at max rpm (all three actions at one time point). Now I supply all thees components with 350W Fortron and I dont have any problem for three weeks.

And I know, that I should have more powerfull power for my pcs. But as I described with this test, wattage dont affect my problem. All time before I never had thees problems and as well its fine now for three weeks.

I swear that Im telling the complete thruth, why would I bother myself with making up this? Im just precisely describing what I see.

0

Share this post


Link to post
Share on other sites

If the problems you're describing are accurate, it's probably an issue with your electrical supply, as suggested above. Not the power supply in your computer, but the electrical service to your building. I had similar problems (weird memory errors, monitor would randomly turn off, strange screen distortions) when I lived in the ancient cadet barracks in college. I figured out that when my neighbor's refrigerator or microwave turned on, I experienced computer problems. The wiring in the building was too old to meet the electrical demand that modern equipment was putting on it. I ended up buying an APC power filter and battery backup and the problems stopped.

EDIT: mSparks, we always called them "gremlins," not elves!

Edited by systems_glitch
0

Share this post


Link to post
Share on other sites

If the problems you're describing are accurate, it's probably an issue with your electrical supply, as suggested above. Not the power supply in your computer, but the electrical service to your building. I had similar problems (weird memory errors, monitor would randomly turn off, strange screen distortions) when I lived in the ancient cadet barracks in college. I figured out that when my neighbor's refrigerator or microwave turned on, I experienced computer problems. The wiring in the building was too old to meet the electrical demand that modern equipment was putting on it. I ended up buying an APC power filter and battery backup and the problems stopped.

In my case problem stopped of itself and never was there before. I live here for my whole life and until this, it was everything fine. Now its fine for three weeks after that. Nothing changed around here, we dont have any new electronics either we didnt remove anything. These serious problems just were there and now they are not there. Like you described, you prooved that it was coused by wrong electrical service in building by solving problem with power filter etc. I think thats not my problem according to what I just wrote.

0

Share this post


Link to post
Share on other sites

EDIT: mSparks, we always called them "gremlins," not elves!

gremlims are physical creatures, electric elves are metaphysical and evolved from an entirely different race of miscreants who live in the sun, hence the attraction to microwaves.

-1

Share this post


Link to post
Share on other sites

Finally I have some big news. I ran Kaspersky antivirus and deleted infected files which I wrote about before (I had them on hdd for years). But Kaspersky still said "Your computer security is at risk. Detected legal software that can be used by criminals for damaging your computer or personal data". Next to this message is button "Fix it now", so I pushed that. A moment later my system (win7) started completely messing up, it showed some errors that disappeared so fast that I couldnt read them, all programs were closing and then my pc testarted. After first boot I couldnt run some programs (notepad, total comander), it said something like I dont have access privileges. I pushed "Fix it now" again and same thing happend, pc rebooted. Now I can run all programs so I wont push that button again for a while. Any ideas what to do?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0