TCPView is a powerful tool for Windows that allow s you to see all of the current TCP/IP network connections on your computer. As almost all remote hacks are perpetrated over the Internet, you will be able to use TCPView to quickly spot any remote computers that are connected to your computer. To use TCPView please download it from the following location and save it on your desktop:
TPCview Download Link
To find a hacker that may be connected to your computer, run TCPView and accept the license agreement. You will now be shown a page that displays all of the active TCP/IP connections on your computer. If there is a remote user connected to your computer at this time, then TCPView will show their connection and the IP address they are connecting from.
When using TCPView always be sure to disable the resolve address feature as we want to see the connected IP addresses. To do this, when TCPView is open, click on the Options menu and then uncheck Resolve Addresses . Now that TCPView is setup properly, let's see how TCPView works by looking at a screen shot of TCPView showing only legitimate connections.
Note: Please remember that there are many legitimate programs that will be legitimately
connected to remote computers. For example, when
you visit a web page with a web browser, you will be
downloading images, ads, javascript, and other
applets from all over the world. Therefore, when you
see web browser, messaging program, or other Internet related program and you recently used it, you
should not be concerned.
As you can see from the image above, the only programs that show an ESTABLISHED connection are related to the Internet Explorer process. If Internet Explorer was just used within the last 5-10 minutes, then these connections are legitimate connections that were made to various web sites. The processes that are in a LISTENING state look to be legitimate Windows programs, so they can be ignored as well. To be safe, though, you should always check the paths of all LISTENING programs by double-clicking on the program name. This will open a small dialog that shows you the path to the executable. If the program is in the proper place then you have confirmed that these are legitimate programs.
Now, let's say that you were using your computer and your CD drive ejected on its own. As this is a little strange you should start TCPView and look at its connections.
Note: Please note that any IP addresses from this tutorial are totally fictitious and did not perform any
harmful activity against any computer.
Can you spot the strange connection in the screen above? We see ESTABLISHED Internet Explorer connections to a variety of hosts, but if you recently used it then that is normal. At the very top, though, is a strange process called a.exe that has an established connection to to the remote IP address 67.83.7.212 and is listening on the local port number 26666. If you do not recognize the program or the remote address, then you should immediately become suspicious. The next step is to see if there is any legitimate program that uses that port number. By looking at this Wikipedia Page we see that there is no legitimate program assigned to the 26666 port number. If you are concerned that you are seeing a suspicious connection, you should definitely write down the name of the program, its file location, and the remote user's IP address so that you have it available later. You may also want to take screen shots in the event you need to show it to the authorities. Finally, we double-click on the process name to see where it is located and find that it is stored directly in the C:\Program Files folder.
Executable programs should not be stored directly in the C:\Program Files folder, so it paints a stronger case that this is not a legitimate program and that someone was accessing your computer without your permission. To be safe, you should end the process so that the hacker is no longer connected to the computer. Now that you know that someone has been accessing your computer without your permission, you should continue to the next section to learn how to use the information we just gathered to track them down.
0 comments:
Post a Comment