Re: Tutorial :How to Trace a hacker...
## Netstat: Your first line of defence ##
Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your computer. Open up DOS (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt, type:
netstat -a
(make sure you include the space inbetween the "t" and the "a").
If you're connected to the Internet when you do this, you should see something like:
Active Connections
Proto Local Address Foreign Address State
TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
Now, "Proto(col)" simply means what kind of data transmission is taking place (TCP or UDP), "Local address" is your computer (and the number next to it tells you what port you're connected on), "Foreign Address" is the machine that is connected to you (and what port they're using), and finally "State" is simply whether or not a connection is actually established, or whether the machine in question is waiting for a transmission, or timing out etc.
Now, you need to know all of Netstat's various commands, so type:
netstat ?
You will get something like this:
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.
Have a play around with the various options, but the most important use of these methods is when you combine them. The best command to use is
netstat -an
because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious users....Hostnames can be a little confusing if you don't know what you're doing (although they're easily understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is, which is always useful.
Also,
netstat -b
will tell you what ports are open and what programs are connecting to the internet.
## Types of Port ##
It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number used, the more you should be suspicious. Here are the three main types of port:
# Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function.
# Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports.
# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:
Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.
## The hunt is on ##
Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat....
Re: Tutorial :How to Trace a hacker...
Active Connections
Proto Local Address Foreign Address State
TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that). Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume that you have nothing at all running like instant messengers, webpages etc....you're simply connected to the net through proxy. So, now this connection is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something is untoward here. So, what you would do is:
1) run Netstat , and use:
Netstat -a
then
Netstat -an
So you have both Hostnames AND IP addresses.
## Tracerouting ##
Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work?
Go back to MSDOS and type
tracert *type IP address/Hostname here*
Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get back doesn't actually seem to mention an actual geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as
http://www.somethingxyz.com
Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to carry out your investigations in.
If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the parameters of this tutorial).
## Reverse DNS Query ##
This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe.
To run an rDNS query, simply go back to MS-DOS and type
netstat
and hit return. Any active connections will resolve to hostnames rather than a numerical format.
# DNS
DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address....which is why we can enter "www.Hotmail.com" and get the website to come up, instead of having to actually remember Hotmail's IP address and enter that instead. Well, Reverse DNS, of course, translates the IP Address into a Hostname (ie - in letters and words instead of numbers, because sometimes the Hacker will employ various methods to stop Netstat from picking up a correct Hostname).
So, for example,
298.12.87.32 is NOT a Hostname.
mail6.bol.net.au IS a Hostname.
Anyway, see the section at the end? (au) means the target lives in Australia. Most (if not all) hostnames end in a specific Country Code, thus narrowing down your search even further. If you know your target's Email Address (ie they foolishly sent you a hate mail, but were silly enough to use a valid email address) but nothing else, then you can use the Country codes to deduce where they're from as well. You can also deduce the IP address of the sender by looking at the emails header (a "hidden" line of code which contains information on the sender)...on Hotmail for example, go to Preferences, and select the "Full Header's Visible" option. Alternatively, you can run a "Finger" Trace on the email address, at:
[url]http://www.somethingxyz.com[/url
Plus, some ISP's include their name in your Email Address with them too (ie Wanadoo, Supanet etc), and your Hacker may be using an email account that's been provided by a Website hosting company, meaning this would probably have the website host's name in the email address (ie Webspawners). So, you could use the information gleaned to maybe even hunt down their website (then you could run a website check as mentioned previously) or report abuse of that Website Provider's Email account (and thus, the Website that it goes with) to
abuse@companynamegoeshere.com
If your Hacker happens to reside in the USA, go to:
www.usps.gov/ncsc/lookups/abbr_state.txt
for a complete list of US State abbreviatons.
Re: Tutorial :How to Trace a hacker...
## List of Ports commonly used by Trojans ##
Please note that this isn't a complete list by any means, but it will give you an idea of what to look out for in Netstat. Be aware that some of the lower Ports may well be running valid services.
UDP: 1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000
TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise
80 Executor
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
1001 Silencer, WebEx
1011 Doly Trojan
1170 Psyber Stream Server, Voice
1234 Ultors Trojan
1243 SubSeven 1.0 - 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5000 Sockets de Troie
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5401 Blade Runner 0.80 Alpha
5402 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
16969 Priority
20001 Millennium
20034 NetBus 2.0, Beta-NetBus 2.01
21544 GirlFriend 1.0, Beta-1.35
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TN
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
61466 Telecommando
65000 Devil
## Summary ##
The Internet is by no means as anonymous as some people think it is, and although this is to the detriment of people's security online, this also works both ways....it IS possible to find and stop even the most determined of attackers, you just have to be patient and keep hunting for clues which will help you put an end to their exploits.
Re: Tutorial :How to Trace a hacker...
Great post!! Very useful.
Re: How to Trace a hacker
Greetings all!
I have a Q about this TCPView program I downloaded. My understanding is it is supposed to monitor any sourse that could be eavesdropping on my on-line activities. When I click on the desktop icon, I get a list that looks like this:
ekrn.exe:412 TCP ibmp4:2455 ns-vip5.hitbox.com:http ESTABLISHED
kpf4gui.exe:1924 TCP ibmp4:1027 localhost:44334 ESTABLISHED
kpf4gui.exe:2784 TCP ibmp4:1040 localhost:44334 ESTABLISHED
jusched.exe:1996 TCP ibmp4:1093 localhost:30606 CLOSE_WAIT
jusched.exe:1996 TCP ibmp4:1097 localhost:30606 CLOSE_WAIT
firefox.exe:3372 TCP ibmp4:2398 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2454 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2342 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2306 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2318 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2310 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2382 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2302 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2314 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2294 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2406 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2304 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2312 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2300 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2448 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2308 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2400 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2460 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2296 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2408 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2380 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2396 localhost:30606 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2324 localhost:30606 ESTABLISHED
[System Process]:0 TCP ibmp4:2478 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2458 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2482 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2474 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2466 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2450 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2452 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2484 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2456 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2468 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2472 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2464 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2480 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2510 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2508 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2506 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2504 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2502 TIME_WAIT
ekrn.exe:412 TCP ibmp4:30606 localhost:2500 FIN_WAIT2
[System Process]:0 TCP ibmp4:30606 localhost:2498 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2496 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2494 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2492 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2490 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2488 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2486 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2476 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2470 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2462 TIME_WAIT
ekrn.exe:412 TCP ibmp4:30606 localhost:2460 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2454 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2448 ESTABLISHED
[System Process]:0 TCP ibmp4:30606 localhost:2442 TIME_WAIT
[System Process]:0 TCP ibmp4:30606 localhost:2440 TIME_WAIT
ekrn.exe:412 TCP ibmp4:30606 localhost:2408 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2406 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2400 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2398 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2396 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2382 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2380 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2342 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2324 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2318 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2314 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2312 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2310 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2308 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2306 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2304 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2302 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2300 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2296 ESTABLISHED
ekrn.exe:412 TCP ibmp4:30606 localhost:2294 ESTABLISHED
jqs.exe:444 TCP ibmp4:5152 localhost:2283 CLOSE_WAIT
firefox.exe:3372 TCP ibmp4:2223 localhost:2224 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2224 localhost:2223 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2220 localhost:2221 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2221 localhost:2220 ESTABLISHED
kpf4gui.exe:2784 TCP ibmp4:1042 localhost:1044 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:1044 localhost:1042 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:44334 localhost:1040 ESTABLISHED
kpf4gui.exe:1924 TCP ibmp4:1030 localhost:1038 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:1038 localhost:1030 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:44334 localhost:1027 ESTABLISHED
kpf4gui.exe:1924 TCP ibmp4:1030 ibmp4:0 LISTENING
kpf4gui.exe:2784 TCP ibmp4:1042 ibmp4:0 LISTENING
System:4 TCP ibmp4:microsoft-ds ibmp4:0 LISTENING
svchost.exe:1016 TCP ibmp4:epmap ibmp4:0 LISTENING
ekrn.exe:412 TCP ibmp4:30606 ibmp4:0 LISTENING
kpf4ss.exe:592 TCP ibmp4:44334 ibmp4:0 LISTENING
System:4 TCP ibmp4:netbios-ssn ibmp4:0 LISTENING
jqs.exe:444 TCP ibmp4:5152 ibmp4:0 LISTENING
kpf4ss.exe:592 TCP ibmp4:44501 ibmp4:0 LISTENING
alg.exe:2524 TCP ibmp4:1035 ibmp4:0 LISTENING
[System Process]:0 TCP ibmp4:2481 bs1.ads.vip.ac4.yahoo.com:http TIME_WAIT
ekrn.exe:412 TCP ibmp4:2343 209-91-151-8.deploy.akamaitechnologies.com:https ESTABLISHED
ekrn.exe:412 TCP ibmp4:2307 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2399 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2295 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2303 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2305 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2301 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2297 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2381 209-91-151-8.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2407 209-91-151-7.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2397 209-91-151-7.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2401 209-91-151-7.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2319 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2383 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2315 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2311 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2309 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2313 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2325 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2461 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2409 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
ekrn.exe:412 TCP ibmp4:2449 209-91-151-6.deploy.akamaitechnologies.com:http ESTABLISHED
[System Process]:0 TCP ibmp4:2459 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP ibmp4:2451 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP ibmp4:2457 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP ibmp4:2453 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
kpf4gui.exe:1924 UDP ibmp4:1031 *:*
System:4 UDP ibmp4:netbios-ns *:*
lsass.exe:772 UDP ibmp4:isakmp *:*
kpf4gui.exe:2784 UDP ibmp4:1043 *:*
System:4 UDP ibmp4:netbios-dgm *:*
svchost.exe:1112 UDP ibmp4:ntp *:*
svchost.exe:1112 UDP ibmp4:ntp *:*
kpf4gui.exe:1924 UDP ibmp4:1029 *:*
kpf4ss.exe:592 UDP ibmp4:44334 *:*
kpf4gui.exe:2784 UDP ibmp4:1041 *:*
svchost.exe:1204 UDP ibmp4:1900 *:*
svchost.exe:1204 UDP ibmp4:1900 *:*
I have to do the copy mode as quickly as possible because when I leave the window open for any time, groups of the entries will automatically highlight in red and then "delete" automatically from the list until I'm left with a shortened list looking like this:
[System Process]:0 TCP ibmp4:2455 ns-vip5.hitbox.com:http TIME_WAIT
kpf4gui.exe:1924 TCP ibmp4:1027 localhost:44334 ESTABLISHED
kpf4gui.exe:2784 TCP ibmp4:1040 localhost:44334 ESTABLISHED
jusched.exe:1996 TCP ibmp4:1093 localhost:30606 CLOSE_WAIT
jusched.exe:1996 TCP ibmp4:1097 localhost:30606 CLOSE_WAIT
[System Process]:0 TCP ibmp4:2454 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2310 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2448 localhost:30606 TIME_WAIT
[System Process]:0 TCP ibmp4:2460 localhost:30606 TIME_WAIT
ekrn.exe:412 TCP ibmp4:30606 localhost:2520 ESTABLISHED
jqs.exe:444 TCP ibmp4:5152 localhost:2283 CLOSE_WAIT
firefox.exe:3372 TCP ibmp4:2223 localhost:2224 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2224 localhost:2223 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2220 localhost:2221 ESTABLISHED
firefox.exe:3372 TCP ibmp4:2221 localhost:2220 ESTABLISHED
kpf4gui.exe:2784 TCP ibmp4:1042 localhost:1044 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:1044 localhost:1042 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:44334 localhost:1040 ESTABLISHED
kpf4gui.exe:1924 TCP ibmp4:1030 localhost:1038 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:1038 localhost:1030 ESTABLISHED
kpf4ss.exe:592 TCP ibmp4:44334 localhost:1027 ESTABLISHED
kpf4gui.exe:1924 TCP ibmp4:1030 ibmp4:0 LISTENING
kpf4gui.exe:2784 TCP ibmp4:1042 ibmp4:0 LISTENING
System:4 TCP ibmp4:microsoft-ds ibmp4:0 LISTENING
svchost.exe:1016 TCP ibmp4:epmap ibmp4:0 LISTENING
kpf4ss.exe:592 TCP ibmp4:44334 ibmp4:0 LISTENING
System:4 TCP ibmp4:netbios-ssn ibmp4:0 LISTENING
jqs.exe:444 TCP ibmp4:5152 ibmp4:0 LISTENING
kpf4ss.exe:592 TCP ibmp4:44501 ibmp4:0 LISTENING
alg.exe:2524 TCP ibmp4:1035 ibmp4:0 LISTENING
[System Process]:0 TCP ibmp4:2311 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP ibmp4:2461 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP ibmp4:2449 209-91-151-6.deploy.akamaitechnologies.com:http TIME_WAIT
kpf4gui.exe:1924 UDP ibmp4:1031 *:*
System:4 UDP ibmp4:netbios-ns *:*
lsass.exe:772 UDP ibmp4:isakmp *:*
kpf4gui.exe:2784 UDP ibmp4:1043 *:*
System:4 UDP ibmp4:netbios-dgm *:*
svchost.exe:1112 UDP ibmp4:ntp *:*
svchost.exe:1112 UDP ibmp4:ntp *:*
kpf4gui.exe:1924 UDP ibmp4:1029 *:*
kpf4ss.exe:592 UDP ibmp4:44334 *:*
kpf4gui.exe:2784 UDP ibmp4:1041 *:*
svchost.exe:1204 UDP ibmp4:1900 *:*
I'm not any super computer techie by any means but I suspect my system has been hacked into. The security programs I use include ESET NOD 32, Sunbelt Personal Firewall, and Desktop Maestro.
I welcome any comment any of you have to say about this. I thank you in advance for your replies.
Re: How to Trace a hacker
If I am not wrong then the icon on which you are clicking is just a short cut to a program called as "netstat" in Windows which just shows the network statistics of your computer. That is the reason why you are getting the result like that as in your above post.
So, in short, you can do whatever you want irrespective of what is the result of the statistics.
Re: How to Trace a hacker
Instead of tracing the hacker, I suggest you to try the methods to keep your accounts safe. You will have to keep in mind that this hacker is someone close to you who has a good information about your personal data as well as your security too. I suggest you to use a strong password that has a good combination of alphabets, numbers and symbols. It should not be related to your life. This makes it difficult for the hacker to break as well as guess the password. Also, try recovering the accounts that you have lost. If you are not able to recover it by the security questions that you had put, I recommend you to contact the officials of the site who may be able to help you with the problem.
Re: How to Trace a hacker
You can trace an email in Outlook:
1. First open up the email of the sender
2. Then click on View and then click on options
3. You will be able to see a lot of text messages in the window called Message header
5. Copy the last ISP number
6. Then go to a DNS trace site like whois.sc, domain tools etc; and put in the IP number
7. You can then atleast determine the country, city or server the email sender is using.
Re: How to Trace a hacker
can anyone help me and my girl friend. We are going crazy dealing with this issue. Someone broke into my girl friend’s computer recently and stole some pictures. He is blackmailing her. He wants her to take pictures of herself and keep sending to him. Otherwise he would forward the pictures he stole to news media. She has filed a report with police and cyber crime unit in her country.
However, she was told by the cyber crime unit that it wouldn’t be easy to find him; he could have used a public computer, or got online outside, etc. The hacker seems to be somewhat of a computer expert. He dared her to go to police saying he was not stupid to be caught.
Can you please give me some tips that I can share with my girl friend, which she can pass on to the cyber crime unit in the police? Her country is not exactly known to be technically advanced although they have a dedicated division for cyber crime.
Please help us. My girl friend is dying right now, and I am so concerned about her. Thank you.
Re: How to Trace a hacker
hello guys,i m facing a problem. one hacker is trying to hack me
i know his IP address but how can i get his hostname and other details
Re: How to Trace a hacker
Quote:
Originally Posted by
joy watson
hello guys,i m facing a problem. one hacker is trying to hack me
i know his IP address but how can i get his hostname and other details
If you know his ip address then you can get all his details via domain tools that provide you with all the information and details about it. You can visit http://whois.domaintools.com/ or search domain tools on google to get a number of list.
Re: How to Trace a hacker
Thanks a lot Freak Master,
I have one important question to ask. How can i know the actual details of a person having profile on orkut.com.
Re: How to Trace a hacker
Hello there, actually, the personal information about the members of Orkut remains with the officials only. Trying to get that information is illegal.