Determining If You are Actively Being Compromised


Introduction


It’s 4 PM on a Thursday afternoon…do you know what ports you’re communicating on? One of the biggest fears for any systems administrator is that his/her machine has been compromised. When this type of thing happens it will often be the case that something might tip you off to the intruder’s presence. Whether it’s an obscure antivirus alert or a strange firewall notification, it’s a good idea to know what to do in this situation. In this article I will demonstrate a few of the things you can do to find out if someone else is hanging around your system.


Listing Open Connections


One of the simplest and most effective things you can do is to output a list of the open connections to your system. This is made possible the netstat command line tool which is actually available on both Linux and Windows. You can use netstat on Windows to output a list of listening TCP and UDP ports by typing netstat -na at a command prompt. The output should show you four columns. The first column in the protocol in use (TCP or UDP), after that is the local address and port, the third column is the foreign address and port, and the last column in the state of the connection. In addition to this command, you can also run netstat -nao on modern Windows versions to add a fifth column that displays the process ID associated with the displayed connections. An example of this output is shown in Figure 1.



Figure 1: Output of the netstat -nao command


When examining netstat output you can be overwhelmed with information easily. That being the case, make sure you have closed any network-centric applications and processes so that your results aren’t clouded with legitimate connections. Once you’ve done that, the first things to look for here are unrecognized foreign addresses, especially in the ESTABLISHED state. Also, be sure to look for any LISTENING connections on your local system on odd ports. When an attacker compromises your system it’s often the case that he will leave a backdoor listening for easier connections back. It helps to know your system very well when examining this output so you have an idea of what connections are normal.


It’s important to keep in mind here that netstat is not infallible. As a matter of fact, a great deal of the kernel-mode rootkits in use by attackers can purposefully modify netstat so that any backdoors they install will be hidden from the output.


Sniffing the Wire


If someone is controlling your system then they have to come through your network card to do it. With that being an absolute and netstat not always being 100% reliable based upon the skill of an attacker and the potential for kernel-mode rootkits, one alternate method is to simply fire up a packet sniffing application. Doing this you can examine the packets going across the wire or air waves.


In order to sniff packets quickly I recommend Wireshark, the world’s most popular packet sniffing application. It’s easy to install, open source (i.e. free), and graphical. If you prefer using the command line then you can use Wireshark’s command-line alternative Tshark, or the ever popular Windump (the Windows port of tcpdump). Windump is also free and works great. Using either of these you can quickly capture packets traversing your network interface and search for any IP addresses that appear foreign to your system.



Figure 2: Using Wireshark to Examine Conversations


Once again, when doing this make sure you turn off any services that may be utilizing the network as to not cloud your results. You can quickly view all of the conversations occurring between your system and the outside world by selecting the Statistics option form the main drop-down menu and clicking Conversations. This window allows you to view actively communicating hosts sorted in a variety of ways, as shown in Figure 2.


Siphoning through Log Files


Log files are the bread and butter of any systems administrator, software developer, or intrusion analyst. Of course, the sophisticated attacker is going to make sure he is covering his tracks, but we want to catch the unsophisticated ones as well. The quickest way to access the event viewer on your Windows system is to type eventvwr.msc from the run dialog or command line. From here you will want to examine all of the log files for activity that looks inconsistent with your daily activities. Some events that I look for include:



  • A large number of failed login attempts. This can indicate someone attempting to guess or brute force an account password.
  • The event log service being stopped. It’s common for attackers to shut this service down immediately once a system is compromised in order to cover their tracks.
  • Unusual services starting. Any service that you don’t recognize is worth investigating as it could be malicious.

Using Process Monitor to Examine the Registry and Running Processes


Two of the most important areas to look at when attempting to determine if a system has been compromised are the system registry and the running processes. Any change to a system is reflected in the registry and every task that occurs on a system is done with some kind of process. In the past, examining these things was a bit of a cumbersome and manual process using the Windows built-in registry and process monitoring tools. Luckily for us, Windows Sysinternals provides the Process Monitor tool. Using Process Monitor you can view changes to the registry as they are actively happening and view active processes and detailed information associated with them. You can download Process Monitor from Microsoft.



Figure 3: Viewing Processes in Process Monitors Process Tree View


As for the analysis of the registry and running processes, this is another case where you need to have a knowledge baseline in order to be effective. Run process monitor occasionally and get an idea for what processes are normal for your system so that you can quickly pick out anomalous ones when the time comes.


Looking for New User Accounts


This last one is a no brainer but I couldn’t write this article without mentioning it. It’s incredibly common for an attacker to compromise a system and then create a new user account on it for eased reentry back into the system. You can view the user accounts on your system by going to the start menu, right clicking Computer, clicking Manage, and browsing the Users and Groups heading.


Conclusion


In this article I’ve give a basic run through of some things to look for when you think your system has been compromised. This list is by no means exhaustive, as entire books have been written on this topic. In addition, the SANS institute has a great cheat sheet to accompany this article that can be found here. As always, remember that proactive security is the best security as it prevents you from having to be reactive.

4 thoughts on “Determining If You are Actively Being Compromised”

  1. I found these bizarre cards, that you described in this article, on my network. I am going to attempt to close the ports, but usually that solution is very temporary. Thought you might find these interesting.

    smartcard-tls 4116/tcp
    smartcard-tls 4116/udp
    wap-vcard 9204/tcp
    wap-vcard 9204/udp
    wap-vcard-s 9206/tcp
    wap-vcard-s 9206/udp
    cardifftec-back 4573/tcp
    GOLDCARD HIGH-TECH CO.,LTD.
    Datacard Group
    US Robotics Total Control ™ NETServer Card
    JTEC Card & Communication Co., Ltd
    Advanced Card Systems Ltd.
    Telecard-Pribor Ltd
    Bluecard Software Technology Co., Ltd.
    Cardkey Systems, Inc.
    Elcard Wireless Systems Oy
    Unicard Sa

  2. I keep finding myself established to Holland and London when not connected to the Internet. I’m in the United States. Is this normal?

    1. established doesn’t mean ‘connected’. if you have open RDP ports that are publicly available, you WILL have ‘established’ unknown connections. basically hackers are running bots trying to break into your system with brute force use/pass combos. it’s really not that much of a worry if you have a strong password. as i said, you can NOT prevent these connections from happening if you have a wide open RDP public port all for the taking.

  3. I found foreign addresses listening in the netstat output, but you didn’t provide instructions on how to remove these foreign addresses. Is there a way to remove them?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top