Tuesday, June 3, 2008

How to check if a system has been hacked?

Use Built-in Windows commands

Ed Skoudis, has recently posted an interesting article to help users to find out if there system has been hacked or has been malware/virus infected.

According to Ed Skoudis, the following five commands are useful and interesting starting point to find out whether your computer has been hacked or infected?

  1. Windows Management Instrumentation: Windows XP and Vista include a command-line utility (Wmic.exe) to access Windows Management Instrumentation (WMI). Previously, an end user would generally write a script to gather information by means of WMI. Wmic.exe can only be used by the local system administrators regardless of WMI namespace permissions on the local machine.

  2. NET commands: They are commands that use the NetBIOS protocol in Windows. They are a simple and easy way to utilize network resources and, in some instances, can make certain tasks easier than if you had used a GUI (Graphical User Interface). Keep in mind that NetBIOS is a non-routable protocol and thus you will not be able to use these commands with machines on subnets other than your own.

  3. Openfiles: Many Windows administrators are unfamiliar with the powerful openfiles command built into Windows. As its name implies, this command shows all files that are opened on the box, indicating the process name interacting with each file.

  4. Netstat: It is a great tool that allows you to get a quick overview of different aspects of your networking setup. The Windows netstat command shows network activity, focusing on TCP and UDP by default.

  5. Find: The find command has the ability to count. Invoked with the /c command, it'll count the number of lines of its output that include a given string. Users often want to count the number of lines in the output of a command to determine how many processes are running, how many startup items are present, or a variety of other interesting tidbits on a machine. To count the lines of output, users could simply pipe their output through find /c /v "". This command will count (/c) the number of lines that do not have (/v) a blank line ("") in them. By counting the number of non-blank lines, the command is, in effect, counting the number of lines

No comments: