How to detect a hacker attack?

[Bestcard]

This article was written for educational purposes only. We do not call anyone to anything, only for information purposes! The author is not responsible for your actions

There are many ways to exploit most of the vulnerabilities. For a hacker attack, you can use one exploit, several exploits at the same time, incorrect settings of software components, or even a backdoor program installed in the operating system during a previous attack.

Because of this, detecting a hacker attack becomes not an easy task, especially for an inexperienced user. In this section, we will try to formulate tips that can help the reader determine whether his computer is undergoing a hacker attack or whether the computer's protection has already been compromised before. Remember that, as in the case of viruses, no one gives a 100% guarantee that you will be able to fix a hacker attack in such a way. However, if your system has already been compromised, then you will probably check some of the following signs.

Windows computers:

• Outgoing traffic is suspiciously high. If you are using a dialup or ADSL connection and have noticed an unusually large amount of outgoing network traffic (in particular, when your computer is running and connected to the Internet, but you are not using it), then your computer may have been compromised ... Such a computer can be used for covertly sending spam or for multiplying network worms.
• Increased activity of hard drives or suspicious files in the root directories. After breaking into a computer, many hackers scan the information stored on it in search of interesting documents or files containing logins and passwords to banking clearing centers or electronic payment systems like PayPal. Some network worms search the disk for files with email addresses in a similar way, which are later used to send infected messages. If you notice significant hard drive activity even when the computer is idle, and files with suspicious names begin to appear in public folders, this may also be a sign of a compromised computer or malware infection of its operating system.
• A large number of packets from the same address, stopped by the personal firewall. After identifying a target (for example, a range of IP addresses for a company or home network), hackers usually launch automatic scanners that attempt to use a set of different exploits to infiltrate the system. If you start a personal firewall (a fundamental tool in protecting against hacker attacks) and notice an uncharacteristically high number of stopped packets from the same address, then this is a sign that your computer is being attacked. However, if your firewall reports that these packets have stopped, then the computer is most likely safe. However, a lot depends on which running services are open for access from the Internet. So, for example, a personal firewall may not be able to cope with an attack, directed to the FTP service running on your computer. In this case, the solution to the problem is to temporarily completely block dangerous packets until the connection attempts stop. Most personal firewalls have this functionality.
• Constant anti-virus protection of your computer reports the presence of Trojans or backdoors on your computer, although otherwise everything works fine. Although hacker attacks can be complex and uncommon, most attackers rely on well-known Trojan horses to take complete control of an infected computer. If your antivirus reports the capture of such malicious programs, then this may be a sign that your computer is open for unauthorized remote access.

UNIX computers:

• Files with suspicious names in the "/ tmp" folder. Many exploits in the UNIX world rely on the creation of temporary files in the standard “/ tmp” folder, which are not always removed after a system compromise. The same is true for some worms that infect UNIX systems; they recompile themselves in the / tmp folder and then use it as their home folder.
• Modified executable files of system services like "login", "telnet", "ftp", "finger" or even more complex ones like "sshd", "ftpd" and others. After infiltrating a system, a hacker usually attempts to root in it by placing a backdoor in one of the services accessible from the Internet, or by modifying the standard system utilities used to connect to other computers. Such modified executables are usually included in the rootkit and hidden from simple direct examination. In any case, it is useful to store the database with the checksums of all system utilities and periodically, after disconnecting from the Internet, in single user mode, check whether they have changed.
• Modified "/ etc / passwd", "/ etc / shadow" or other system files in the "/ etc" folder. Sometimes the result of a hacker attack is the appearance of another user in the "/ etc / passwd" file, which can remotely log in to the system later. Watch for all changes to the password file, especially for the appearance of users with suspicious logins.
• The appearance of suspicious services in "/ etc / services". Installing a backdoor on UNIX systems is often done by adding two lines of text to the / etc / services and /etc/ined.conf files. You should constantly monitor these files so as not to miss the moment when new lines appear there, installing the backdoor to a previously unused or suspicious port.