Posted Mon May 06, 2013 5:56 pm
Hello guys this TuT will only really help users with some experience with computers and settings. If you get it and don't have any experience than your amazing.
Very brief explanation for users using Windows.
Fine print: This is for educational purposes only,
though I doubt you could use it with malicious intent.
Furthermore, This is only to be used for the detection of malicious programs that utilize a connection to the internet. (Keyloggers, Specific type of Trojans, etc.)
It's also not used to remove said programs.
This is just to prevent people making "OMG AM I KEYLOGGED" threads constantly.
To find Keyloggers (as well as any other malicious program accessing the internet),
It's usually not as simple as just opening your Task Manager and finding the process.
Nor is it as easy as running a virus scan.
The fact of the matter is that if a hacker wants their activity to be undetectable,
You will not see it.
That's all there is to it.
Hackers can use complex method of hiding files/processes from such tools to make this sort of 'quick fix' impossible.
Though it may be possible with that kid down the block that gave you a Keylogger to mess with you, it's not possible with an educated hacker.
To avoid this,
There are several ways to figure out if someone has unauthorized access over your client.
The easiest being as follows:
Do this once BEFORE YOU CONNECT TO THE INTERNET IN ANY WAY.
Press the start menu button.
Click "Run". (Windows 7 may not have this by default. Just search it in your "Search programs and files" bar.)
Type "Cmd", and run it.
You should now be in a Command Prompt.
Now enter: netstat -arn
Press enter.
You should now see a list of numbers under "Network Address, Netmask, Gateway Address, Interface, Metric".
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
If it doesn't look like something like that,
And you're not connected to the internet...
Your computer is infected.
If it does, move on.
Next, connect to the internet.
Repeat the "netstat -arn" command mentioned earlier.
You should now see numbers under "Network Destination, Netmask, Gateway Address, Interface, Metric"
If it doesn't list only the network addresses used by your ISP...
You're infected.
As a rule of thumb, it should be something like:
0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1
If you see something odd listed here... It's bad.
In the next section you are going to close every program you have using the internet.
You're now going to open up your Command Prompt and type: netstat -an
The only IP listed here after you close everything accessing the internet should be the one assigned to you by your ISP.
If there are any other IPs listed here...
You're infected.
Rule of thumb... Should look like this:
Protocol Local Address Foreign Address State
TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
TCP 216.1.104.32:120 0.0.0.0:0 LISTENING
TCP 216.1.104.32:121 0.0.0.0:0 LISTENING
TCP 216.1.104.32:122 0.0.0.0:0 LISTENING
UDP 216.1.104.32:123 *:*
Listed here, 216.1.104.32... The bolded part will almost always change.
Consider that number your "Session ID".
Last, Go back into your Prompt.
Type in, again: netstat -arn
Look for "Interface list".
You should now see all your active network adapters.
Assuming you still have all your programs closed,
You should only see the net adapters normally used by your computer.
(And possibly a Teamviewer VPN assuming you use Teamviewer. It doesn't like to close its net adapter sometimes.)
If you see something your computer obviously doesn't use normally,
(Assuming you don't know how to use your control panel to find the network adapters manually) Google is your friend.
Chances are that if it's utilizing half of your network connection with everything closed...
It's probably not friendly.
Now, that step won't usually show anything odd,
Even if you have a virus.
So, I won't go so far as to say you're not infected yet.
The last step... Obviously: Run a virus scan.
Hackers are able to hide viruses from these scans using very simple methods.
Naturally though, you can't hide from everything.
The more Anti-virus programs you have,
The better the chance of picking something up. (Seriously. It may be annoying, but if you're security conscious, it's a must.)
Hope that helped
Very brief explanation for users using Windows.
Fine print: This is for educational purposes only,
though I doubt you could use it with malicious intent.
Furthermore, This is only to be used for the detection of malicious programs that utilize a connection to the internet. (Keyloggers, Specific type of Trojans, etc.)
It's also not used to remove said programs.
This is just to prevent people making "OMG AM I KEYLOGGED" threads constantly.
To find Keyloggers (as well as any other malicious program accessing the internet),
It's usually not as simple as just opening your Task Manager and finding the process.
Nor is it as easy as running a virus scan.
The fact of the matter is that if a hacker wants their activity to be undetectable,
You will not see it.
That's all there is to it.
Hackers can use complex method of hiding files/processes from such tools to make this sort of 'quick fix' impossible.
Though it may be possible with that kid down the block that gave you a Keylogger to mess with you, it's not possible with an educated hacker.
To avoid this,
There are several ways to figure out if someone has unauthorized access over your client.
The easiest being as follows:
Do this once BEFORE YOU CONNECT TO THE INTERNET IN ANY WAY.
Press the start menu button.
Click "Run". (Windows 7 may not have this by default. Just search it in your "Search programs and files" bar.)
Type "Cmd", and run it.
You should now be in a Command Prompt.
Now enter: netstat -arn
Press enter.
You should now see a list of numbers under "Network Address, Netmask, Gateway Address, Interface, Metric".
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
If it doesn't look like something like that,
And you're not connected to the internet...
Your computer is infected.
If it does, move on.
Next, connect to the internet.
Repeat the "netstat -arn" command mentioned earlier.
You should now see numbers under "Network Destination, Netmask, Gateway Address, Interface, Metric"
If it doesn't list only the network addresses used by your ISP...
You're infected.
As a rule of thumb, it should be something like:
0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1
If you see something odd listed here... It's bad.
In the next section you are going to close every program you have using the internet.
You're now going to open up your Command Prompt and type: netstat -an
The only IP listed here after you close everything accessing the internet should be the one assigned to you by your ISP.
If there are any other IPs listed here...
You're infected.
Rule of thumb... Should look like this:
Protocol Local Address Foreign Address State
TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
TCP 216.1.104.32:120 0.0.0.0:0 LISTENING
TCP 216.1.104.32:121 0.0.0.0:0 LISTENING
TCP 216.1.104.32:122 0.0.0.0:0 LISTENING
UDP 216.1.104.32:123 *:*
Listed here, 216.1.104.32... The bolded part will almost always change.
Consider that number your "Session ID".
Last, Go back into your Prompt.
Type in, again: netstat -arn
Look for "Interface list".
You should now see all your active network adapters.
Assuming you still have all your programs closed,
You should only see the net adapters normally used by your computer.
(And possibly a Teamviewer VPN assuming you use Teamviewer. It doesn't like to close its net adapter sometimes.)
If you see something your computer obviously doesn't use normally,
(Assuming you don't know how to use your control panel to find the network adapters manually) Google is your friend.
Chances are that if it's utilizing half of your network connection with everything closed...
It's probably not friendly.
Now, that step won't usually show anything odd,
Even if you have a virus.
So, I won't go so far as to say you're not infected yet.
The last step... Obviously: Run a virus scan.
Hackers are able to hide viruses from these scans using very simple methods.
Naturally though, you can't hide from everything.
The more Anti-virus programs you have,
The better the chance of picking something up. (Seriously. It may be annoying, but if you're security conscious, it's a must.)
Hope that helped
