Intrustion Detection Tools

Use Ctrl + ALT + Delete and select "Task Manager" or Ctrl + Shift + Esc on an XP machine

Once in Task Manager select the "Performance" tab. This will give you some indication of what your system is doing. It should only using alot of CPU or memory if you are running a lot of applications or really intense applications such as Macromedia apps, visual application and others. If you see that the system is maxed out for no appearent reason you more than likely have been hacked.

From Task Manager you can also stop processes. Go to the "Processes" and right click on the offending application:

NETSTAT

Use netstat to examine what network activity is happening on your system. It displays protocol statistics and current TCP/IP network connections.

Here is what you might see if you used Netstat to see if you system was being used by a worm:

As you can see, Netstat displays every action the worm takes. The worm is scanning the network for other systems to spread to.

Netstat is a built in feature of Windows.

To access it go to Start | Run | type "cmd"

This will bring up a DOS prompt. Type "netstat"

If there is a ridiculous amount of activity scrolling up the screen and your system is a sluggish, you may have a Trojan, virus or worm.

MORE ON NETSTAT:

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per

-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

 

 

fport

fport is a creation of foundstone. For information on how to download it go to the tools to detect hacking page.

Download fport in your C:\ drive.

Here is a picture of what you might see if you had Malware and used fport to see it:

The reason fport is superior to netstat is that it not only shows the ports that the worm is attempting to access but also the protocol and the application or malware. Once you know the name of the process you can use Task Manager to shut if off. Some apps/malware run as a system process and can only be deleted in Safe Mode.

You will need to access the Command Prompt to use fport.

To get to the Command Prompt go to Start | Run | type "cmd"

The Command Prompt may automatically put you in your home directory. You'll need to be in the C:\ to use fport (actually, you'll need to be in whatever folder you downloaded fport in).

Once in the same folder as fport type "fport."

fport will list network connections and all the applications using them.

MORE ON FPORT:

FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Usage:
/p sort by port
/a sort by application
/i sort by pid
/ap sort by application path

Special thanks to Gary Nebbett for light