Volatility Framework Command : Using dlllist - dlldump to extricate DLLfile details

 This post will share an example to run the two volatility terminal commands including dllllist and dlldump  to display a process's loaded DLLs.

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU, Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html

dlllist

dlllist is used to display a process's loaded DLLs.DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll).

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist

To display the DLLs for a specific process instead of all processes, there is option to use the switch -p or --pid filter as shown below:

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist --pid=1892

To display the DLLs for a process that is hidden or unlinked by a rootkit, first use the psscan to get the physical offset of the EPROCESS object and then:

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist --offset=0x04a291a8

(Click on the image to ENLARGE)

dlldump

dlldump command is used to extract a DLL from a process's memory space and dump it to disk for analysis.The syntax is nearly the same as what has been seen earlier with any command.This plugin provisions the following :

- Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
- Dump all DLLs from a specific process (with --pid=PID)
- Dump all DLLs from all processes
- Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is useful for extracting hidden DLLs

To specify an output directory, use --dump-dir=DIR or -d DIR.

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlldump --dump-dir output

where output is the name of directory where u get the dll dump

the output directory will be seen as seen below :

More at : https://code.google.com/p/volatility/wiki/CommandReference#dlllist

vCard Vulnerability : WhatsApp

1.     WhatsApp,the exceedingly renowned application that has actually swung around the way we all chat, talk, share and do so many things has so many PROs but over this small period of time since its inception it has also been the quarry of cyber criminals. With a user base as strong as 900 million active users in Apr 2015,any vulnerability in the architecture cosmos is destined to be a remunerative lure for any cyber criminal. A recent vulnerability in the form of simply sharing a vCard with other user discovered by Check Point security researcher Kasif Dekel has come to the fore. It involves simply sharing the seemingly guileless vCard with the victim and as the victim clicks the vCard, his task his over since rest will be done in the background by the malicious code terra incognita to the user. This vCard actually exists as an executable file and gets into action the moment it gets clicked by the user in the application. 

 

 

RESOLVED by update from WhatsApp 

2.   WhatsApp affirmed and recognized the security egress and have released the fix in all versions greater than 0.1.4481 and blockaded that especial lineament. 

How it Happens? 

3.   To activate the code, Kasif Dekel ascertained an attacker could just inject the command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, it will attempt to run all lines in the files, including controlled injection line. Once such a contact is made, all an attacker has to do is share it via the normal WhatsApp client. 

What made the application Vulnerable? 

4.    WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.Thus the default action runs for the vCard for running the code whilst being understood as sharing the contact details. 

 

What can it do ?

 

Once the code is activated,it is bound to take complete control over the target machine and will definitely monitor the user’s activities and use the target machine to spread malicious malwares and viruses ahead.

Timelines by CHECKPOINT on the vulnerability 

 
    August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
    August 23, 2015 – First response received.
    August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
    September 8, 2015 – Public disclosure 

Thanks CHECKPOINT

CARBANAK : BANK ROBBERY LIKE NEVER BEFORE

1.  As recent as a week back Carbanak, an APT-style campaign targeting financial institutions has been claimed to have been discovered by the Russian/UK Cyber Crime company Kaspersky Lab who said that it had been used to steal money from banks.The malware was said to have been introduced to its targets via phishing emails and is said to have stolen over 500 million dollars, or 1BN dollars in other reports, not only from the banks but from more than a thousand private customers.The criminals were able to manipulate their access to the respective banking networks in order to steal the money in a variety of ways. In some instances, ATMs were instructed to dispense cash without having to locally interact with the terminal. Money mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts.The presentation brings out the executive summary of Modus Operandi of the Malware as analysed by Kaspersky.

 

2.   Carbanak is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear phishing email or exploit kit, successfully executes its payload.Carbanak copies itself into %system32%\com with the name svchost.exe with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted.

How to detect CARBANAK

One of the best methods for detecting Carbanak is to look for .bin files in the
folder:

..\All users\%AppData%\Mozilla\

The malware saves files in this location that will later be sent to the C2 server when an internet connection is detected.BAT script for detecting infections(Source : here) is given as follows :

@echo off
for /f %%a in ('hostname') do set "name=%%a" echo %name%
del /f %name%.log 2> nul
if exist "c:\Documents and settings\All users\application data\
mozilla\*.bin" echo "BIN detected" >> %name%.log
if exist %SYSTEMROOT%\System32\com\svchost.exe echo "COM
detected" >> %name%.log
if exist "c:\ProgramData\mozilla\*.bin" echo "BIN2 detected"
>> %name%.log
if exist %SYSTEMROOT%\paexec* echo "Paexec detected"
>> %name%.log
if exist %SYSTEMROOT%\Syswow64\com\svchost.exe echo "COM64
detected" >> %name%.log
SC QUERY state= all | find "SERVICE_NAME" | findstr "Sys$"
if q%ERRORLEVEL% == q0 SC QUERY state= all | find
"SERVICE_NAME" | findstr "Sys$" >> %name%.log
if not exist %name%.log echo Ok > %name%.log xcopy /y %name%.log
"\\\logVirus

Quantifying your WEB SECURITY

This small presentation will sail through a set of questions for any web/Internet user and will mark for every question as the user decides to answer.The safety score as it ends up lets the user know of where he stands in terms of IT SECURITY on the web!!!!

How to Set Up Google Chromecast : Windows 8

1.   Chromecast is a 2.83-inch (72 mm) HDMI dongle ,a digital media player developed by Google that plays audio/video content on a high-definition display by directly streaming it via Wi-Fi from the Internet or a local network. Users select the media to play using mobile apps and web apps that support the Google Cast technology. Alternatively, content can be mirrored from the Google Chrome web browser running on a personal computer, as well as from the screen of some Android devices.This post further brings you screen shots of the Chromecast setup as I set it up on one windows 8 Laptop...sadly it doesn't have a straight setup for UBUNTU OS...though I have seen few forums wherein a plugin mention in regular chrome browser would set the cast working...but alas not tried that...here it is a simply setting it up on Windows 8.

Step 1 : As you plugin the chromecast powered by USB Power in the HDMI slot ,you get a similar looking screen.

  

On your Chrome browser log onto google.com/chromecast/setup

As you click the above link you get a download setup file...around 800 kb...download that and your installation begins....

Typical Next Next.....

You get the device number as detected by the Laptop machine

Once connected a unique code is seen as below on the TV...just confirm that you see the same on your PC too as shown further below :

Unique code replicated on Laptop screen as below :

Click on That's My Code and continue as seen below :

Seen connecting to the network SSID

Setting up the Device on joining the network

and you are ready to cast :

The first time the device is ready to cast,expect recent update on the Chromecast dongle like seen below...likely to take few minutes...mine took 7-8 minutes

Updating still....12%

Updating still....61%

Updated and now applying updates

and the first look of the device on way to cast a Youtube stream as below :

What do I cast first ?...off course Rajinikanth....:-)

Few things to ponder and for info first time users :

- Why is not ready for Opensource OS?
- Works equally ready with Android devices with ease
- Does not work on a Windows OS running in Virtual Box/Machine.

Officially Keylogged : Welcome to Microsoft Windows 10 Preview

1.   Though an avid loyalist of Linux for last about a decade,I always keep a tag of what’s happening in the world of Windows......and recently when Windows 10 preview was launched I started reading various reviews pan web....and I came across this startling and surprisingly criminal revelation regarding inbuilt key logging in the OS available for download.See the screen shot below straight from the Microsoft and you read it for your self highlighted...  

(Click to Enlarge)

2.     This is actually too much in the name of Data Collection wave by various companies as a genuine and legal move putting across mostly naive users at complete risk since anyone is hardly interested in reading the Terms & Conditions of any application.A google search on this gives surprising concerns as bought out by various reviewers across as seen below :

(Click to Enlarge)

3.   Few interesting statements below from Terms and Conditions :

"Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."


"We may collect information about your device and applications and use it for purposes such as determining or improving compatibility" and "use voice input features like speech-to-text, we may collect voice information and use it for purposes such as improving speech processing."
The killer statement says, "If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of] it for purposes such as improving performance, or [if you] enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spellcheck features."

4.     Thanks Microsoft :-)

DD-WRT : Linux based Alternative OpenSource Firmware

1.   After we have heard and seen over last few years the rise of Open Source and their imminent threat to Mac and Windows!!!!,now I read about  , a Linux based alternative Open Source firmware suitable for a great variety of WLAN routers and embedded systems.

2.    This open-source firmware was developed for specific router models and is used as a replacement for the factory default firmware. This modification lifts restrictions built-in to the default firmware, providing advanced capabilities to make Internet and Home Network more controllable and versatile.Manufacturers develop routers for non-technical users in mind, making them simple and easy to use, while limiting their effectiveness as a web-access gateway. DD-WRT transforms a personal-class router with limited functionality into a powerful, multi-use, business-class router. With DD-WRT, a router's enterprise potential can be unlocked at a home user's price.

3.    The advantages offered are bought out below :

    - Stability of running a linux-based, non-proprietary firmware.
    - VPN (Virtual Private Network) passthrough capabilities.
    - Software support for the SD-Card hardware modification.
    - Advanced QoS (Quality of Service) controls for bandwidth allocation.
    - NAT (Network Address Translation) support.
    - Cycle router from the Administration settings.
    - Built-in DNS caching
    - Configure the router as a Wi-Fi hotspot using the integrated Chillispot          
    - Radius Authentication for additional wireless security.
    - VLAN (Virtual Local Area Network) Support.
    - Create unique SSIDs (service set identifiers) when using multiple routers.

4.   But it is not a win win situation always,while flashing a router with DD-WRT is highly beneficial , the risks that are involved can sometimes outweigh the benefits . Flashing a router with DD-WRT can be risky and when done improperly, it may "brick" the router. For devices mainly used for private purposes, DD-WRT is freely available. Platforms used for commercial purposes require a paid license. Compared to the freely available version, the professional version also allows for configuration of the WLAN parameters, thus opening up the opportunity of creating e.g. reliable and powerful network infrastructures. Special demands can be fulfilled by specifically tailored versions of DD-WRT.

Is it Hasta la Vista for True Crypt?

1.    The popular encryption software TRUE CRYPT (...actually my personal favourite for long now) site has been showing some surprising front page news as we reach the original address at www.truecrypt.org/ as seen below :

2.     I wonder why for any reason a open-source established software like TRUE CRYPT would start recommending Bitlocker ex Windows 7?....is it case of a simple web page hack or is it for real?....lets wait and watch for now...

Concluding XP getting Stronger by the Day @ Banks & ATMs still swear by it.

1.   Microsoft XP...the OS that was a milestone and turning point for the Microsoft company in many ways was given 8 Apr 2014 as the last date of survival ie after about 14 years of being in business, support for Windows XP will end on April 8, 2014. There will be no more security updates or technical support for the Windows XP operating system. After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. So PCs running Windows XP after April 8, 2014, should not be considered to be protected...but is it that easy for a typical user to just see off XP and take on a newer OS?....leave aside the typical user ...would it be possible for the corporates to do it so easily???...alass!!! NAAA....

2.  Microsoft though had given early warnings as early as 2007 about the end of life support for XP OS, but in fact the surprising fact coming up vide various sources is that currently most bank machines (95% of ATMs in the world) use Microsoft XP (OS) in their cash machines and with the date nearing fast it seems like herculean to replace all as per the time line.So after repeated request from across the globe from leading bank vendors including big UK banks such as Barclays, HSBC, Lloyds Banking Group, Royal Bank of Scotland etc ,Microsoft has agreed to provide antimalware signatures for the operating system through July 15, 2015 and just for info that’s not the same as software patches, but does help consumer and business security programs identify malware on the system. The original end of support date of April 8, 2014 still stands. Even for this the banks might pay up to $100 million (KES. 8.5 billion) each to keep their Windows XP support, combined with the costs to upgrade their ATMs to a more recent version of the OS. Microsoft does offer what it calls “Custom Support” for large business that includes updates for legacy programs....

3.   Thus XP , though will be soon bidding bye for all home users but the fact is that it has proved it self yet again in terms of the swollen dependency that too pan global...that only proves yet again that XP still has a large large following.....

UBUNTU 12.04 LTS beats Windows 7,MAC @ GCHQ Report

1.    Now this is some good news for all Ubuntu lovers.Ubuntu 12.04 LTS has topped a UK security agency’s security assessment of mobile and desktop operating systems.CESG (originally Communications-Electronics Security Group) is the group within GCHQ(an intelligence and security organization, working to keep Britain safe and secure in the challenging environment of IT communications).CESG conducted a series of tests in the last few months to review a set of 11 operating systems which currently run on various devices such as desktops, laptops, servers, mobile phones and tablets. The security assessment included the following categories:

    - VPN
    - Disk Encryption
    - Authentication
    - Secure Boot
    - Platform Integrity and Application Sandboxing
    - Application Whitelisting
    - Malicious Code Detection and Prevention
    - Security Policy Enforcement
    - External Interface Protection
    - Device Update Policy
    - Event Collection for Enterprise Analysis
    - Incident Response

2.   Ubuntu 12.04 LTS is the only operating system to fully pass 9 of the 12 listed security recommendations above.Ubuntu was marked down on VPN and encryption because its implementation/software has yet to be independently assessed by an approved CESG body.The VPN issue is likely to be addressed in the UBUNTU 14.04 LTS thats likely arrival date is somewhere in Apr 2014...ie in another about two months from now.

3.    The list of operating systems which were compared are mentioned below :

- Windows 7/8
- Android 4.2
- Samsung devices with Android 4.2
- Apple iOS6
- Apple OSX 10.8
- Blackberry 10.1(EMM Corporate)
- Blackberry 10.1(EMM Regulate)
- Google Chrome OS 26
- Windows 8 RT
- Windows Phone 8

4.  What Canonical has to say about this

“We are working hard to close the gap and make Ubuntu clearly stand out as the most trustworthy operating system for the future and we hope to make excellent progress before our next LTS release in April 2014, 14.04 LTS, which will be even better,” Darryl Weaver, Canonical Sales Engineer

5.  Few screen shots from web with this news :

6.   Source of news as above...thanks http://www.zdnet.com

New Laptops without Windows 8 @ Rare

1.   Strange it may seem but the current availability of Laptops for sale in the market show a peculiar sad state of specs...ie they are available only with Windows 8.There are rare options on few sites that offer New laptops for sale without Windows OS.I have been planning to buy a laptop with i3/i5 processor and in my search over various sites I came across this sad but surprising stat.

2.  Infact leading online shopping retails in Dubai have got NIL option to buy a laptop without Windows 8.I checked up at the following sites :

- www.sharafdg.com/‎

- http://www.carrefouruae.com/

- http://www.ic4uae.com/

3.   Even the options without Windows 8 on leading retails in India have much lesser options then with Windows 8. Checked up at Flipkart, snapdeal,timesofindia shopping to mention a few.

 

 4.   Given these facts...it looks like Microsoft has put in rigorous and vigorous marketing efforts to increase there sales graph for Windows 8.For those guys who wish to buy Windows 8 laptop and then attempt removing the windows and install some Linux flavour...it is equally surprising that unlike till Windows 7 wherein it was relatively a matter of deleting Windows and installing Linux...it is complex removing Windows 8 so the user has to be content with a dual boot option wherein he has to compromise with wastage of space dedicated to Windows....

5.  Thus there is a kind of binding that comes along with these laptops with Windows 8 that you cannot mov to another OS.....:-(

McAfee : Runs on Windows/Linux and from Police

1.    Strange is the heading and so is the story....according to the news doing the rounds in cyber space.Anti-virus software pioneer John McAfee says he is moving every four hours to avoid Belizean police who wants to question him about the murder of his neighbor, a fellow American....how true or untrue is this ...m no one to comment....but being an ardent McAfee user for long on my various VMs....I would like to wish him the best.....more on the story that I read from is available here.....

Operation b70 : Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

In continuation with the last post, here is more from Microsoft.Please go through this brave but honest confession from Microsoft.......ummmm!!!!I would not say confession but actually Microsoft's attempt to save millions of innocent users...must read for info at

http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

Operation b70 : New OS from Mall comes preloaded with Malware

1.   For last few years since Cyber Crime has been making news,it has been always discussed that all free stuff on internet comes preloaded with some kind of malware or spyware or some kindda ware!!!Here's about a one month old news worth a share that defies this logic....it actually says that Malware comes inbuilt to the OS from the mall showroom from u where u made the purchase!!!!!!!!

"Microsoft’s Digital Crime Unit (DCU) has recently made this astonishing announcement.DCU conducted a study to get a sense of how much of the counterfeit software available is preloaded with malware.  Microsoft researchers purchased 20 new computers from PC malls.  These systems had counterfeit software preinstalled on them by the distributor. DCU examined the files on these PCs and found malware on four of the 20 computers that were purchased, a 20 percent infection rate.Several types of malware were pre-installed on the computers purchased from the PC mall.  This malware enabled the attackers to perform a range of actions including DDoS attacks, creating hidden access points onto the systems, keylogging and data theft.

The researchers also identified one type of malware found on these systems attempting to connect to the command and control servers of a known botnet.  The ensuing study uncovered that attackers were building this botnet by infecting digital products, like computers or software, that were then distributed through an unsecure supply channel.  The malware was also designed to spread via flash drive memory sticks. The subdomains that hosted the botnet’s command and control servers link to more than 500 different types of malware.  Some of this malware is capable of turning on cameras and microphones connected to infected systems."

4.   More on the story here. uuuuhh!!!!isn't it scary...a fresh piece of digital device that you buy comes with an inbuilt spy to spy on you and your data...... In fact it is a bold step and brave announcement by the Microsoft DCU...it could have been hidden but they found it ok to declare it open so that the user gets braver on its use...!!!

5.   DCU took legal action to disrupt the malware hosted in the subdomains, in Operation b70.  You can read more about Operation b70 and the DCU’s efforts here: http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

6.   Thanks Microsoft and http://blogs.technet.com

Cross OS Trojan : @ If...Then...else :-)

1.    Got this at THN.We often feel stronger when we use some kind of a open source linux OS instead of the regular pirated or even genuine Windows OS incl XP/WIN7 etc.But what i got here was a simple trojan dropper code that is based on the found out OS...IF LINUX then this trojan...or if windows then the other one....the snap shot from the original THN site is here @ http://thehackernews.com/2012/07/cross-platform-trojan-mac-windows-linux.html

2.    F-Secure has found this web exploit that detects the OS of the computer and drops the relevant trojan to match.The attack was first seen on a Columbian transport website which had been hacked by a third party. This malware is known as GetShell.A and requires users to approve a Java applet installation.It detects if you're running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform. The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 186.87.69.249.

3.  Thanks http://thehackernews.com

POWERFUL THAN ADMINISTRATOR ACCOUNT : SYSTEM LOGIN

1.  So here is something unheard to those who thought that ADMINISTRATOR was the king of the respective PC account.So for those who think so...ever thought why r u unable to fiddle with system files when u r the owner... that's because there is a SYSTEM account over and above the administrator who can delete the administrator account!!!!yes u read it right....so how do u get to the system account.I am giving it a step by step attempt here with screen shots!!

2.  Firstly...get to your desktop and see ur user name...mine is windowsxp ie a user account with admin priveleges as shown below :

3.    Secondly,get to the command prompt and create a schedule to run cmd.exe as follows :

at 14:51 /interactive “cmd.exe”

*** The time mentioned here can be a minute or two ahead of whats the time u doing this action.

 4.   You can check schedule by typing “at“ and hitting enter after the above step.

5.    Now Wait for the time you set for the schedule and u see that cmd.exe would be launched at the specified time and a subsequent command prompt windows will open automatically.

6.    Now go to ur desktop without closing any window and reach the task manager and kill the explorer.exe file under the process tab.

7.    Close the first cmd window and not the second one.

8.    Reach the root directory by pressing cd\

9.    Type start explorer...thats it...now u logged in as the System.....as shown:

 10.   Point to note :

- This is only for educational and info pupose.
- Never attempt it on a live system.
- Always do it on a virtualbox or Virtual machine or virtual PC.

11.   Thanks http://alieneyes.wordpress.com

Copy To the Clipboard From the Command Prompt

1.    Ever  tried copying text and commands you type at command prompt ie c:\

2.    I tried it once via the right click and then doing cut/paste thing.It did not happen.

3.    The way to do it is very simple though….u have to do this once…explained screen shot wise

GO TO THE COMMAND PROMPT

 RIGHT CLICK AT THE LEFT TOP MENU & CLICK ON PROPERTIES

ENABLE THE QUICK EDIT MODE

4.       You have to enable the Quick edit Mode and then on its simply left-clicking anywhere in the window and drag a box around the text that you would like to select.Once the text is selected, you can either right-click anywhere in the window or use the Enter key to copy the selected text to the clipboard.To paste into the command prompt, simply use the right mouse button anywhere inside the window while not in “Select” mode.

5.   Thanks http://www.howtogeek.com

HOW DO U FIND IF YOUR PC IS HACKED?- PART 6

FIND COMMAND

1.   Most of the commands I have discussed so far spew a lot of output on the screen, which could be hard for a human to look through to find a specific item of interest. But, Windows comes to the rescue. Users can search through the output of a command using the built-in find and findstr commands in Windows. The find command looks for simple strings, while findstr supports regular expressions, a more complex way to specify search patterns. Because the regular expressions supported by findstr go beyond the scope of this tip article, let's focus on the find command. By default, find is case sensitive - use the /i option to make it case insensitive.

2.    The find command also has the ability to count. Invoked with the /c command,it'll count the number of lines of its output that include a given string.Users often want to count the number of lines in the output of a command to determine how many processes are running, how many startup items are present  or a variety of other interesting tidbits on a machine. To count the lines of output, users could simply pipe their output through find /c /v "". This command will count (/c) the number of lines that do not have (/v) a blank line ("") in them. By counting the number of non-blank lines, the command is,in effect, counting the number of lines.

3.  Now, with the find command, users can look through the output of each of the commands I've discussed so far to find interesting tidbits. For example , to look at information every second about cmd.exe processes running on a machine, type:

C:\> wmic process list brief /every:1 | find "cmd.exe"

Or, to see which autostart programs are associated with the registry hive H KLM, run:

C:\> wmic startup list brief | find /i "hklm"

To count the number of files open on a machine on which openfiles accounting is activated, type:

C:\> openfiles /query /v | find /c /v ""

Whenever counting items in this way, remember to subtract the number of lines associated with column headers. And, as a final example, to see with one-second accuracy when TCP port 2222 starts being used on a machine, along with the process ID using the port, run:

C:\> netstat -nao 1 | find "2222"

THANKS www.amazingit.blogspot.com

HOW DO U FIND IF YOUR PC IS HACKED?- PART 5

NETSTAT COMMAND

1.  The Windows netstat command shows network activity, focusing on TCP and UDP by default. Because malware often communicates across the network, users can look for unusual and unexpected connections in the output of netstat, run as follows:

C:\> netstat –nao

2.  The -n option tells netstat to display numbers in its output, not the names of machines and protocols, and instead shows IP addresses and TCP or UDP port numbers. The -a indicates to display all connections and listening ports. The -o option tells netstat to show the processID number of each program interacting with a TCP or UDP port. If, instead of TCP and UDP, you are in interested in ICMP, netstat can be run as follows:

C:\> netstat -s -p icmp

3.   This indicates that the command will return statistics (-s) of the ICMP protocol. Although not as detailed as the TCP and UDP output, users can see if a machine is sending frequent and unexpected ICMP traffic on the network. Some backdoors and other malware communicate using the payload of ICMP Echo messages, the familiar and innocuous-looking ping packets seen on most networks periodically.

4.  Like WMIC, the netstat command also lets us run it every N seconds. But, instead of using the WMIC syntax of "/every:[N]", users simply follow their netstat invocation with a space and an integer. Thus, to list the TCP and UDP ports in use on a machine every 2 seconds, users can run:

C:\> netstat -na 2

HOW DO U FIND IF YOUR PC IS HACKED?- PART 4

OPENFILES COMMAND

1.  Many Windows administrators are unfamiliar with the powerful openfiles command built into Windows. As its name implies, this command shows all files that are opened on the box, indicating the process name interacting with each file. It's built into modern versions of Windows, from XP Pro to Vista. Like the popular ls of command for Linux and Unix, it'll show administrators all open files on the machine, giving the process name and full path for each file. Unlike lsof, however, it doesn't provide many more details, such as process ID number, user number and other information.

2.  Considering the volume of information it gathers, it's no surprise that the openfiles command is a performance hog. Thus, the accounting associated with

openfiles is off by default, meaning users can't pull any data from this command until it is turned on. This function can be activated by running:

C:\> openfiles /local on

3.  Users will need to reboot, and when the system comes back, they will be able to run the openfiles command as follows:

C:\> openfiles /query /v

4.  This command will show verbose output, which includes the user account that each process with an open file is running under. To get an idea of what malware has been installed, or what an attacker may be doing on a machine,users should look for unusual or unexpected files, especially those associated with unexpected local users on the machine.

5.   When finished with the openfiles command, its accounting functionality can be shut off and the system returned to normal performance by running the following command and rebooting:

C:\> openfiles /local off