Tut : Tracking A Hacker

Status
Not open for further replies.

rocket357

Security freak
Just for information's sake...don't rely on netstat =)

I worked on a project this past summer involving system call hooking in the Windows NT family of operating systems, and it's almost trivial to stealth connections from netstat...

TCPView (microsoft.com...under the sysinternals downloads (Free download)) does a better job of revealing connections, as it gets it's information from "deeper" within the system. Is it possible to hide from TCPView? Most certainly...but it's harder to accomplish than hiding from netstat.

Why would you need to worry about this? Well, if the virus/trojan/rootkit has hooked system calls/hot patched system calls and is filtering connections listed by netstat, you're pretty well screwed if you trust netstat.

If you really want to know if your system has been compromised and is passing info out, then you should check out setting up an *external* sniffer.
 
Last edited:

[xubz]

"The Cake is a Lie!!"
If you people want more information about securing yourselves and your servers, then get this book called 'Hacking for Dummies', its very well written!
 
Status
Not open for further replies.
Top Bottom