Tracing those that are trying to hack you

posted Mar 17, 2014, 7:58 AM by Andrew Chadick   [ updated Apr 3, 2014, 9:32 AM ]
First and foremost, check your logs.  If you have a firewall with any intrusion protection, make sure you set it to notify you when someone is scanning your ports.  Make sure you are monitoring the traffic going to any remote access connections, even if you use non-standard ports.  If you have a Microsoft shop; Your security logs in Event Viewer for Windows are a critical first look.  Use them.  

Other Great Tools for hunting and tracking those that attack through the web:
TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx 
 TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.  

The TRACERT (Trace Route) command is a route-tracing utility used to determine the path that an IP packet has taken to reach a destination.

Provides information about network latency and network loss at intermediate hops between a source and destination. Pathping sends multiple Echo Request messages to each router between a source and destination over a period of time and then computes results based on the packets returned from each router. Because pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Pathping performs the equivalent of the tracert command by identifying which routers are on the path. It then sends pings periodically to all of the routers over a specified time period and computes statistics based on the number returned from each. Used without parameters, pathping displays help. 

An IP address ( internet protocol address ) is a unique number that devices use in order to identify and communicate with each other on a network utilizing the Internet Protocol standard.  Any participating device including routers , computers , servers, printers, and even some telephones(VOIP) must have its own unique communicable address.  This tool shows you a location of an IP address in a Geo-spatial way. 

This test will return WHOIS registration results for a DOMAIN name.  Depending on the registrar, you can see various information like who is it registered to, when it was registered and when it expires, where the DNS is hosted, and more.  In some cases, you will be able to go the registrar's site to get more information. 

A host of tools that you may find useful for finding or checking on various computers on the internet 

 NSLookup http://support.microsoft.com/kb/200525 Microsoft and Unix command-line administrative tool for testing and troubleshooting DNS servers. The first thing that you need to understand about NSLOOKUP is that when you use the NSLOOKUP command, it assumes that you are querying a local domain on your private network. You can query an external domain, but NSLOOKUP will try to search for the domain internally first.


Comments