Advice from a Real Hacker: How to Know if You've Been Hacked

How to Know if You've Been Hacked

Advice from a Real Hacker: How to Know if You've Been Hacked

It seems like every day now that we see a new headline on a cyber security breach. These headlines usually involve millions of records being stolen from some large financial institution or retailer. What doesn't reach the headlines are the many individual breaches that happen millions of times a day, all over the world.

In previous articles, I've shown you how to create stronger passwords and how to prevent your home system from being compromised, but people are always asking me, "How can I tell if my system has already been hacked?"

The answer to that question is not simple. Hacker software has become so sophisticated that it is often hard to detect once it has become embedded in your system. Although antivirus/anti-malware software can often be effective in keeping your system from being infected, in many cases, once it has become infected, the software can't detect or remove the infection.

The reason for this is that the best malware embeds itself in your system files and looks and acts like part of your key Windows system files. Often, it will replace a system file with itself, keeping the same file name and functionality, but adding its own functionality. In this way, it looks and acts similarly to the necessary system file that your operating system needs to function properly, only the additional functionality gives a remote hacker access to your system and system resources at their will.

Why Hackers Want the Use of Your Computer

Although we are familiar with the idea that hackers might be seeking our credit card numbers, bank accounts, and identity, some hackers are simply seeking the use of your computer. By infecting thousands, even millions, of computers around the world, they can create what is called a "botnet."

A botnet is simply a network of compromised computers controlled by a single command and control center. I estimate that 30 to 50% of all consumer-level computers are part of one botnet or another.

This botnet can be used for many seemingly innocuous activities and many more malicious ones. Botnets can be used to send spam, crack passwords, conduct distributed denial of service (DDoS) attacks, etc. In all cases, they are using system resources that are not available to you. You will likely detect your own system running sluggishly or erratically.

Let's take a look at how we can detect if such a security breach has taken place on YOUR system.

Step 1: Run Antivirus Software

NOTE: While antivirus and anti-malware software can differ in what they detect, I'll be referring to both collectively as antivirus (or AV) throughout this article. It's good to make sure you have one that detects both viruses and malware including trojans, worms, spyware, rootkits, keyloggers, etc.

There are many pieces of good antivirus software on the market. The problem is that even the very best will not detect over 5 to 10% of all known malware. Then, there is the unknown malware that comes out every day. Hackers are always developing new software, usually variants of existing malware, but different enough to evade the signature detection of these software developers. In these cases, your AV software is useless.

Despite this, I still recommend that you buy a reputable brand of AV software and keep it up to date. Those updates are critical as they represent the signatures of the new hacking software that is found in the "wild." Enable this software to do "active detection" and response, as once the malware has embedded itself on your computer, it is sometimes impossible to detect and remove.

Although it's hard for the average consumer to evaluate AV software and every software developers claims to be the best, there is a objective laboratory that does evaluate the effectiveness of AV software. It's known as the Virus Bulletin and you can see its results here. The chart below is from their latest results evaluating numerous software. As you can see, AV software is NOT created equal.

In the two systems I will use in this article, both had been through a deep AV scan of the entire hard drive. In both cases, no malware or viruses were detected, but I was still suspicious of infection.

Step 2: Check Task Manager

The first thing to check when you suspect that you have been hacked is your Windows Task Manager. You can access it by hitting Ctrl+Alt+Del on your keyboard and selecting Task Manager at the bottom of the menu that pops up, or just type Task Manager in the run line of your Start menu.

When you open the Task Manager and click on the "Processes" tab, you should get a window similar to the one below. Note at the bottom the CPU usage. In this infected machine, the system is sitting idle and CPU usage is spiking near 93%! Obviously, something is going on in this system.

Below, you will see the same Task Manager on an uninfected system. With the system idle, CPU usage is under 10%.

Step 3: Check System Integrity Checker in Windows

Now that we know something is awry on our system, let's delve a bit deeper to see if we can identify it.

Very often, malware will embed itself into the system files which would explain why the AV software couldn't detect or remove it. Microsoft builds a system integrity checker into Windows called sfc.exe that should be able to test the integrity of these system files. From Microsoft's documentation, it describes this utility saying:

"System File Checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files."

The idea here is that this tool or utility checks to see whether any changes have been made to the system files and attempts to repair them. Let's try it out. Open a command prompt by right-clicking and choose Run as Administrator. Then type the following command (make sure to press Enter afterward).

sfc /scannow

As you can see from the above screenshot, the malware remains hidden even from this tool.

Step 4: Check Network Connections with Netstat

If the malware on our system is to do us any harm, it needs to communicate to the command and control center run by the hacker. Someone, somewhere, must control it remotely to get it to do what they want and then extract want they want.

Microsoft builds a utility into Windows called netstat. Netstat is designed to identify all connections to your system. Let's try using it to see whether any unusual connections exist.

Once again, open a command prompt and use the following command.

netstat -ano

Since a piece of malware embedded into the system files can manipulate what the operating system is actually telling us and thereby hide its presence, this may explain why nothing unusual showed up in netstat. This is one more indication of how recalcitrant some of this malicious malware can be.

Step 5: Check Network Connections with WireShark

If we can install a third-party software for analyzing the connections to our computer, we may be able to identify the communication to and from our computer by some malicious entity. The perfect piece of software for this task is called Wireshark.

Wireshark is a free, GUI-based tool that will display all the packets traveling into and out of our computer. In this way, we might be able to identity that pesky malware that is using up all our CPU cycles and making our system so sluggish.

Since Wireshark is an application and not part of the Windows system, it is less likely to be controlled and manipulated by the malware. You can download Wireshark here. Once it has been installed, click on you active interface and you should see a screen open like that below.

Wireshark then can capture all the packets traveling to and from your system for later analysis.

The key here is to look for anomalous packets that are not part of your "normal" communication. Of course, it goes without saying that you first should have an idea of what is "normal."

If you haven't looked at your normal communication, you can then filter packets to only look at a subset of all your communication. As attackers often use high number ports to evade detection, you can filter for, say ports 1500-60000. If you have malicious communication taking place, it will likely appear in that port range. Furthermore, let's just look for traffic leaving our system to see whether the malware is "phoning home" on one of those ports.

We can create a filter in Wireshark by typing it into the Filter window beneath the main menu and icons. Filters in Wireshark are a separate discipline entirely and beyond the scope of this article, but I will walk you through a simple one for this purpose here.

In this case here, my IP address is 192.168.1.103, so I type:

ip.src ==192.168.1.103

This filter will only show me traffic FROM my system (ip.src). Since I also want to filter for ports above 1500 and below 60000, I can add:

and tcp.port > 1500 and tcp.port < 60000

The resulting filter will only show me traffic that meets all of these conditions, namely, it should be:

  • Coming from my IP address (ip.src == 192.168.1.103)
  • Coming from one of my TCP ports above 1500 (tcp.port > 1500)
  • Coming from one of my TCP ports below 60000 (tcp.port < 60000)

When I type all of this into the filter window, it turns from pink to green indicating my syntax is correct like in the screenshot below.

Now click on the Apply button to the right of the filter window to apply this filter to all traffic. When you do so, you will begin to filter for only the traffic that meets these conditions.

Now the key is to look for unusual traffic here that is not associated with "normal" traffic from your system. This can be challenging. To identify the malicious traffic, you will need to type the unknown IP addresses that your machine is communicating with (see the IP addresses in the box) into your browser and check to see whether it is a legitimate website. If not, that traffic should be immediately viewed with some skepticism.

Detecting whether your computer is infected with malware is not necessarily a simple task. Of course, for most, simply relying on antivirus software is the best and simplest technique. Given that this software is imperfect, some of the techniques outlined here may be effective in determining whether you have really been hacked or not.

Cover image via Shutterstock

45 Comments

Just going to add a note here on what I use; as picking an antivirus software can be a somewhat daunting task and it's hard for some to know what they want.

I personally use Trend Micro Titanium Maximum Security, reasons are as follows.

  1. It performs definition updates at least a few times a week.

What this means is that it collects updates for known or recently discovered malware quite regularly.

  1. Trend Micro has a database of "safe" websites.

What this means is that if you are surfing the web and come across an unknown site; your antivirus software will send the ip address of the unknown site to Trend Micro. They will then check the website for malicious software.

  1. It is proactive software rather than reactive.

One of the biggest reasons I went with this is because it scans items and blocks potential threats coming into your system; other antivirus software are often reactive in their approach, which means they remove items after infection.

For example, I recently upgraded computers; the old computer had a free AVG software on it and on the new computer I had installed Trend Micro. As I was transferring data across Trend Micro picked up an ebook with malicious code embedded within it and deleted it immediately. The ebook never even got a chance to enter my system.

  1. Requiring a password to access areas such as settings.

This may seem fairly trivial, but having a password to access the settings means that someone who has compromised your system will find it a lot harder to disable the antivirus.

Cont...

Cont...

  1. Paid antivirus software is often much, much better than freeware.

Freeware is quite often malicious itself. There is trusted freeware available of course, but if you're using something like free AVG please upgrade to a paid version. Free AVG will protect your system files such as the registry, but the user directories will remain unchecked and this is quite often where malware is introduced into the system.

A lot of people don't want to pay for antivirus as they find the price too steep, however, what they fail to realise is that they're purchasing multi-licence copies. It costs AUD$129.95 for Trend Micro on up to 5 devices for 12 months, devices includes PC, Mac, all smartphones, and tablets.

129.95 / 12 = 10.83 rounded up
10.83 / 5 = 2.17 rounded up

That means it's costing you AUD$2.17 per device, per month for protection. Once you break it down like that, the price doesn't seem terribly steep.

Now I'm not saying Trend Micro is the be all and end all of antivirus software, but those are my reasons for choosing one software over many others, I may be a bit off on some points and please someone correct me if I am. But there you have it.

ghost_

Hi bro,

If I just checked my system with the cpu in the task manager, is it enough or do I need to check more things like connections?

What does it need tou show if my system infected or not bro?
In addition, do you have facebook or skype, you really help me,
thanks! (:

Steve:

There is no single value to indicate your system is compromised. It depends upon the software injected to your system, but if you see CPU useage over 10% when the system is idle, I would be suspicious.

OTW

It's just on 3% bro..
Is it enoght that be sure that my system wasn't infected?
And friend, do you have facebook or skype?
I want your help please and your posts very good (:
Thank you!

3% is not enough to indicate a compromise. You still might be compromised, but that reading alone does not indicate anything to worry about.

I do have skype and facebook, but I only take questions in this forum here at wonderhowto.com

Exactly! the attacker want to be unnoticed

bro,
so how can I know for sure that I havn't hacked?
What do I need to check more?
I want your help in hacking bro please (:
Do you know hacking emails ?
unknown emails bro (: not like gmail, yahoo, that it's hard..
Thanks (:

Steve:

Did you read this tutorial?

OTW

P.S. I'm not your bro. I'm your teacher. Address me with respect or don't address me at all.

new to the IT industry. I am destined to become a master ethical hacker and would like to know if electronic circuits training is a good foundational place to start? Is being a electronics technician valued today, and can the knowledge benefit a hacker?

Demetrius:

I would not spend a lot of time studying electronic circuits if you want to be a hacker.

OTW

What if I wanted to hack other electronics like tv's, streetlight's, refrigerator's,atm and machines, and car's.

Unless you were physically hacking them, the circuits would not help at all.

Here we are interested in hacking the software that controls the device. The hardware is irrelevant.

So when would the knowledge of circuits benefit a hacker/individual seeking supreme technological power in today's world?

Not with what we do.

As both OTW and I have told you; we're more interested in hacking software.

ghost_

I think you should reverse broadcom chips since you could probably hack hardware better than anyone here.

Oh sorry very much!
I didn't know that you don't want me to call you like this..
sorry again.
And as your question, yes I read it , of course.
So I asked you if my cpu is on 3%, which things do I need to check more to be sure that my computer wasn't infected.
In addition, do you have maybe email?
I want your help in hacking emails, and generally learning hacking.
Thank you very much again! (:

Since you read the article, you know what to do.

Obviously, I have email. This is it.

Hello Master.
Good post. What you do is great.
I've been following your post a few months ago.

Oh no! I got two listeners. Am I right? How can I get rid of them?

Hello Sir,

Thanks for an informative article. I was wondering how likely it is that a Unix/Linux system gets compromised? Or is it just because of the nature of distribution that Windows is just more popular to get attacked?

In some ways, Linux and the Mac OS are easier to hack. Most people using those OS's don't use firewalls or AV thinking they are safe making it much easier for me and other hackers.

If I am developing a hack, I'm going to invest my time and money on the OS that is used in over 90% of computers, though.

As email acc got hacked, is there any way to receive hackers ip?

Hi I have a question im being surveillanced by people no not police they use cameras to film me and have hacked my phone several times to locate me but also possibly to see my personal info I know they definitely are as I put my sim in an old Pre smart phone like old red brick Nokia and lose them within an hour sure enough they call on a private num once phone call is answered they wait silent no noise nothing twenty thirty sec the have a lock on my location call ends then within ten min they are there following me so hear is my question im to scared to even think about turning on my home computer or giving it internet conection or laptops or smart phone (im using my phone at moment but have it wiped with absolutely no personal info on it at all but think they are tracking me through my cell tower pings or gps?) as im unsure if there watching so what could I do? and is there some type of program I could run on my devices to either stop/block them or to hack them back? Possible or not im not sure and no im not crazy I am 200% sure and fuck there good side note no im not a criminal either it's a long complicated story any advice would be greatly appreciated thank you

Thanks ive been told to do that by some friend's I asked for advice but I need solid proof I know there private investigators as im involved in a big legal dispute worth half a mil so I know why they are doing it but to prove it is a different story as they will just deny it even happened as hacking my phone to find my location is illegal only police are allowed to do that and then they have to have a warrant. they have even moved into a house across the street from me and film me I know its an invasion of privacy but was not sure on what to do as Im not to tech savy but ive been documenting it so to produce it when I get to court but yea ill give the police a call see what they say I was just wondering if there was a type of program to stop them from hacking me or discovering all my personal information thanks for your reply

Sounds like a private investigator at work or some agent working for an entity.

You have any insurance claims pending or current? Are you injured in some way?

If no to both seems pretty suspect to me and why not just walk up and ask them what they are doing?

If you are being actively traced by cell towers it's not a P.I and I would think pretty hard about anything you did to pick up that rookie tail work, if its even that.

"I know there private investigators as im involved in a big legal dispute"
Oh didn't see that. That is your answer. Hire a PI to debunk a claim is cheaper then paying the claim.. IMO

Yea thanks i am involved in a negligence claim and have multiple injuries I see this site have a lot of articles on hacking I wasn't really wanting to become an experienced hacker just want to see if i could run a program on my devices to stop them but im going to have a good read up on your tutorials might help me a bit. I cant just approach them as by there stupid laws I would be doing the wrong thing and claim would be denied but it sux they can break the law just to find any way out of paying a claim. And I know they have pi following me and they definitely are tracking me through my phone see I live In the country and constantly take them for a drive through state forests and they hate it ive gone from location to location letting them find me just to prove to my family that its them. They finally believe me now lol but as I lose them in the forest that's why they hack/ trace my phone to find me again

Ok, hope you are well.

Btw none of these posts are to be taken as legal advice, make your own decisions about informational and personal security

As far as following you, could be GPS attached to the vehicle some where or the on board stuff built in to newer ones. But I would not sweat it if this is from a civil case. Im not sure how the Law works where you are about P.I's stalking you, check into it. Tell your lawyer about it if you are 100% sure. Either way be careful with any suspect activity and be vigilant.

Yep will do thanks for asking no im not ok at all but ahwell that's another story possibly going to have to have my disc fused in spine and im only 28 plus more. yea I understand that none of what we've discussed is legal advice ill definitely keep the lawyer up to date but he is saying I've already won my case before it even hits court yea its civil done it at work employer breached at least 5 different ohs laws and insurance already accepted full liability im not sure on the laws of a pi following me but I know if there tracing my location thru my phone its highly illegal ivd been told I can prove they have been following me but to prove they have hacked into my comp or phone is a lot harder would much prefer just to stop them or poss hack back and give them a virus or one of them trogjan worm things lol cause them a headache but all good thanks for your replies I really appreciate it take it easy cheers drew

I have ISP's on mine that "refuse" or don't go anywhere.What do I do about this?

Hi, thank you for your article. I am a little bit computer literate, so please bare with an old gal. I have a renter in my home who got hacked and think they may have gotten into my computer as well. Since then, I have added a password to my router (instead of the generic) and it is also a secure network. I have set up a guest connection to router for renters and have changed all those passwords also - this guest connection was set up prior to this renter. Computer runs ok but internet seems sluggish at times. I have Norton 360 and also run Glary Utilities and Malwarebytes. I am trying to follow your steps but unfortunately being a layman I am not sure what to look for. I was completely lost at Wireshark and did not attempt. BUT - when I ran the sfc/scannow it came back saying: Windows Resource Protection found corrupt files but was unable to fix them. It told me where to find the log, but of course after looking at the log, it is greek to me also. Do you have any advice on how I should proceed? Oh, not sure if this is anything or not. But I also know every day or so a DOS screen randomly opens and quickly closes. The DOS screen size is less than a 1/4 size of my 15" laptop screen when it opens. Is that an indication of being hacked also? I never in my life of having computers had that happen until this renter moved in 2 months ago. Please advise in layman terms if you please and/or have the patience. I really appreciate your article. What I could follow anyway. Very interesting. Thank you.

What should we need to do if we found out with wireshark that someone has hacked the computer?

Also is there any way to check in mac whether my computer has been hacked?

OTW,
lets say I suspect one of my computers of having malware (99% disk and 70% RAM used during idle)

Can I run WireShark from Kali from one of my other computers to see what kind of packets the suspected computer is sending?

Also, in your article you wrote "packets between 1500 and 60000"
Why cap at 60000? is that the maximum port amount?
(I know 1500 is probably because everything under 1024 is taken, and anything close to 1024 will be found easily)

You actually should run wireshark on another machine, as your primary might have a rootkit to hide network activity, which you wouldn't see. If you cross the data between local sniffing and remote sniffing, and see discrepancies, you may actually have one.

Also, ports go up to 65535, and all ports below 1024 require root privilege on linux to run, but on windows this doesn't apply, it's just a convention, it's not that they are all taken.

Anyway, wireshark will tell you what is the common port used for, but really port usage is totally arbitrary.. you can run a webserver on port 65000 or your malware can contact his irc C&C server on port 65432.

I went to follow your instructions for running a scan in command prompt Well it says I am not the "Administrator". Hmmm, how in the heck can that happen? I had people call on the phone and say my computer has been hacked by Russia and China. Ok, how in the hell do you know that? They showed somethngs through commnd prompt. So,I want to try this scan of yours and it won't let me.

When people -call- you to tell you are hacked.... You are probably the victim of a ongoing attempt to hack you; there is no way in the world that the phone call you received is legitimate.

A quick thing you can try is is open the start search menu, type CMD, then right-click on it and select "Run as Administrator". If that does not allow you to run it; my (noobish) guess is that something is wrong.

"They showed you something through command prompt''. What exactly did they show? How did they show you? Did they tell you to type some commands? Or did they use your computer remotely?

What OS are you running? Did the callers say who they are?

I'm stupid when it comes to this stuff. I panicked and called and let someone take control of my computer. He did use command prompt remotely Team Viewer. Same thing happened to my grand mother last year. He showed me ip addresses. Wasn't specific. Just alluding to the fact that my computer was being hacked. Saying that the other ip addresses should all have 0'. Then he tried to sell me stuff. But I'm poor and in college. I have no info on the computer. But I'd like to use it next semester. So I'm resetting/wiping the hard drive.

Hey there guys,
i have a lenove Thinkpad s431 issue and i need some counceling if you will.

what if i have a partition of Kali and another one with Windows10 but suddenly i cant access Kali (im not sure if i forgot my password because i wasn't really the one that installed it) although in fact this was not the first but the second time that this has happened to me, eventhough before it was with Ubuntu 14 distro (im think pretty sure the system went crazy that time becausei was in a linux course and my kernel went crazy, and i also have a ram that is not working 100%).

What could i do to fix it? How do i run over that Kali?
should i install Ubuntu again?
any help would be awesome
thanks.

Half of these questions wouldn't even need to be asked if people actually tried reading and understanding. And some of them are just ... well,... ignorant.

"How do I hack my fridge, t.v., oven and microwave"... Really? Maybe the couch and toilet too?

sigh

The first thing people should do if using "Win" is turn off the auto and remote services, and then go from there. I pretty much disable anything without dependencies. I find a lot of crap is a result of MS and McAfee.

Share Your Thoughts

  • Hot
  • Latest