Tracing a Hacker

Posted by tech master  |  at  6:48 PM

Sometimes, it's just not enough to simply know that there's a Trojan or Virus onboard. Sometimes you need to know exactly why that file is onboard, how it got there - but most importantly, who put it there.

By enumerating the attacker in the same way that they have enumerated the victim, you will be able to see the bigger picture and establish what you're up against. But how can you do this? Read on...

## Connections make the world go round ##

The computer world, at any rate. Every single time you open up a website, send an email or upload your webpages into cyberspace, you are connecting to another machine in order to get the job done. This, of course, presents a major problem, because this simple act is what allows malicious users to target a machine in the first place.

# How do these people find their victim?

Well, first of all, they need to get hold of the victim's IP Address. Your IP (Internet Protocol) address reveals your point of entry to the Internet and can be used in many ways to cause your online activities many, many problems. It may not reveal you by name, but it may be uniquely identifiable and it represents your digital ID while you are online (especially so if you're on a fixed IP / DSL etc).
With an IP address, a Hacker can find out all sorts of weird and wonderful things about their victim (as well as causing all kinds of other trouble, the biggest two being Portnukes/Trojans and the dreaded DoS ((Denial of Service)) attack). Some Hackers like to collect IP Addresses like badges, and like to go back to old targets, messing them around every so often. An IP address is incredibly easy to obtain - until recently, many realtime chat applications (such as MSN) were goldmines of information. Your IP Address is contained as part of the Header Code on all emails that you send and webpages that you visit can store all kinds of information about you. A common trick is for the Hacker to go into a Chatroom, paste his supposed website address all over the place, and when the unsuspecting victim visits, everything about your computer from the operating system to the screen resolution can be logged...and, of course, the all important IP address. In addition, a simple network-wide port scan will reveal vulnerable target machines, and a war-dialler will scan thousands of lines for exposed modems that the hacker can exploit.
So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine?

## Virtual and Physical Ports ##

Everything that you recieve over the Internet comes as a result of other machines connecting to your computer's ports. You have two types; Physical are the holes in the back of your machine, but the important ones are Virtual. These allow transfer of data between your computer and the outside world, some with allocated functions, some without, but knowing how these work is the first step to discovering who is attacking you; you simply MUST have a basic knowledge of this, or you won't get much further.

# What the phrases TCP/UDP actually mean

TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which is compressed, then a header is put on it and it is sent to another computer (UDP stands for User Datagram Protocol). This is how ALL internet transfers occur, by sending packets. The header in a packet contains the IP address of the one who originally sent you it. Now, your computer comes with an excellent (and free) tool that allows you to see anything that is connected (or is attempting to connect) to you, although bear in mind that it offers no blocking protection; it simply tells you what is going on, and that tool is NETSTAT.

## Netstat: Your first line of defence ##

Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your computer. Open up DOS (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt, type:

netstat -a

(make sure you include the space inbetween the "t" and the "a").

If you're connected to the Internet when you do this, you should see something like:

Active Connections
Proto Local Address Foreign Address StateTCP macintosh: 20034 50505 ESTABLISHEDTCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAITTCP macintosh MACINTOSH: 0 LISTENINGTCP macintosh MACINTOSH: 0 LISTENINGTCP macintosh MACINTOSH: 0 LISTENING

Now, "Proto(col)" simply means what kind of data transmission is taking place (TCP or UDP), "Local address" is your computer (and the number next to it tells you what port you're connected on), "Foreign Address" is the machine that is connected to you (and what port they're using), and finally "State" is simply whether or not a connection is actually established, or whether the machine in question is waiting for a transmission, or timing out etc.

Now, you need to know all of Netstat's various commands, so type:

netstat ?

You will get something like this:

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

Have a play around with the various options, but the most important use of these methods is when you combine them. The best command to use is

netstat -an

because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious users....Hostnames can be a little confusing if you don't know what you're doing (although they're easily understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is, which is always useful.


netstat -b

will tell you what ports are open and what programs are connecting to the internet.

## Types of Port ##

It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number used, the more you should be suspicious. Here are the three main types of port:

# Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function.

# Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports.

# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:

Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.

## The hunt is on ##

Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat....

Active Connections
Proto Local Address Foreign Address StateTCP macintosh: 27374 50505 ESTABLISHEDTCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAITTCP macintosh MACINTOSH: 0 LISTENINGTCP macintosh MACINTOSH: 0 LISTENINGTCP macintosh MACINTOSH: 0 LISTENING

Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that). Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume that you have nothing at all running like instant messengers, webpages're simply connected to the net through proxy. So, now this connection is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something is untoward here. So, what you would do is:

1) run Netstat , and use:

Netstat -a


Netstat -an

So you have both Hostnames AND IP addresses.

## Tracerouting ##

Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work?
Go back to MSDOS and type

tracert *type IP address/Hostname here*

Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get back doesn't actually seem to mention an actual geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as

Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to carry out your investigations in.

If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the parameters of this tutorial).

## Reverse DNS Query ##

This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe.
To run an rDNS query, simply go back to MS-DOS and type


and hit return. Any active connections will resolve to hostnames rather than a numerical format


DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address....which is why we can enter "" and get the website to come up, instead of having to actually remember Hotmail's IP address and enter that instead. Well, Reverse DNS, of course, translates the IP Address into a Hostname (ie - in letters and words instead of numbers, because sometimes the Hacker will employ various methods to stop Netstat from picking up a correct Hostname).
So, for example, is NOT a Hostname. IS a Hostname.

Anyway, see the section at the end? (au) means the target lives in Australia. Most (if not all) hostnames end in a specific Country Code, thus narrowing down your search even further. If you know your target's Email Address (ie they foolishly sent you a hate mail, but were silly enough to use a valid email address) but nothing else, then you can use the Country codes to deduce where they're from as well. You can also deduce the IP address of the sender by looking at the emails header (a "hidden" line of code which contains information on the sender)...on Hotmail for example, go to Preferences, and select the "Full Header's Visible" option. Alternatively, you can run a "Finger" Trace on the email address, at:
Plus, some ISP's include their name in your Email Address with them too (ie Wanadoo, Supanet etc), and your Hacker may be using an email account that's been provided by a Website hosting company, meaning this would probably have the website host's name in the email address (ie Webspawners). So, you could use the information gleaned to maybe even hunt down their website (then you could run a website check as mentioned previously) or report abuse of that Website Provider's Email account (and thus, the Website that it goes with) to
If your Hacker happens to reside in the USA, go to:
for a complete list of US State abbreviatons.

## List of Ports commonly used by Trojans ##

Please note that this isn't a complete list by any means, but it will give you an idea of what to look out for in Netstat. Be aware that some of the lower Ports may well be running valid services.

UDP: 1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000

TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise
80 Executor
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
1001 Silencer, WebEx
1011 Doly Trojan
1170 Psyber Stream Server, Voice1234 Ultors Trojan
1243 SubSeven 1.0 - 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5000 Sockets de Troie
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5401 Blade Runner 0.80 Alpha
5402 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
16969 Priority
20001 Millennium
20034 NetBus 2.0, Beta-NetBus 2.01
21544 GirlFriend 1.0, Beta-1.35
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TN40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
61466 Telecommando
65000 Devil

## Summary ##

I hope this tutorial is useful in showing you both how to secure yourself against unwanted connections, and also how to determine an attacker's identity. The Internet is by no means as anonymous as some people think it is, and although this is to the detriment of people's security online, this also works both IS possible to find and stop even the most determined of attackers, you just have to be patient and keep hunting for clues which will help you put an end to their exploits.



Test your Firewall

Posted by tech master  |  at  2:49 PM

Do you think Firewall which you use is the best or want to find out which is the best Firewall ? then Firewall Leak Test is for you.

Here you can test your Firewall using extensive series of test.
So hurry up and test your firewall.

I request to all my readers that after testing their firewall, please post a comment here that your Firewall passed or not with your Firewall name so that all my blog readers will come to know which Firewall is good and which is bad.


Rapidshare search tips

Posted by tech master  |  at  8:20 PM

Searching in rapidshare is easy.
If u want to search mpg or avi videos go to google and then type
mpg|avi or mpg|avi
If u want to get softwares go to google and type
software name
For example if u want to search Prince of Persia game in rapidshare then goto google and enter game prince of persia


How To Resize A Partition In Vista (EVEN IF Disk Management fails)

Posted by tech master  |  at  8:07 PM

You don't need to have 3rd Party Softwares to achieve resize partitions in Windows Vista. Simply follow these steps: Click Start > Rt Click on Computer > Select Manage
In the left pane, under Storage category, click on Disk Management Now select and rt click on the partition you wish to modify.

In the context menu, you will see options to Extend, Shrink or Delete the partition. Select the option you want. Sometimes one or more options may be grayed out and thus unavailable. It could be that such a step may be physically not possible.

Should you wish to continue, nevertheless, please first backup your important data should anything go wrong. You may have to use diskpart.exe ! Diskpart utility can do everything that the Disk Management console can do, and more! It’s invaluable for script writers or anyone who simply prefers working at a command prompt. For more information on it click KB300415...

Windows also includes a additional command-line tool for file, system and disk management, called Fsutil. This utility helps you to change the short name of a file, find files by SID's (Security Identifier) and perform other complex tasks.

Details with images at winvistaclub.


Two new vulnerabilities in MS Excel and symantec products

Posted by tech master  |  at  6:56 PM

The problem

1. A vulnerability has been reported in several editions of Microsoft Excel. It can be exploited to take control of a user's system. Memory could be corrupted and arbitrary code executed.

2. Various Symantec products, including Norton Antivirus 2006, Internet security 2005 and 2006, SystemWorks 2006, and Antispyware edition 2005 have vulnerabilities that can be exploited to compromise a user's system. They are caused due to errors in certain ActiveX controls under certain conditions.

What to Do

Microsoft has released patches for various editions of Excel. Find them at
Symantec Security response has released Bloodhound.Exploit.148 to detect and block attempts to exploit the aforementioned vulnerability. Get fix at


Touchscreen - All things you ever wanted to know about it

Posted by tech master  |  at  2:25 PM

Today everyone must be familiar of what a touchscreen is.
In simple words, a touchscreen is a screen which you can operate using your finger.

Today, we see touchscreens in mobiles, computers and many other devices and you all must be willing to know how touchscreen works.
Here i am going to tell you how a touchscreen works and about different types of touchscreens.

Components of touchscreen

A touchscreen consists of three major components. They are :-

1. Touch sensitive surface - It is a glass panel which is put over the viewable screen. Electric current or charge or ultrasonic waves are passed through it. When it is touched, there is a change in the current or charge or frequency of ultrasonic waves.

2. Controller - It can also be termed as CPU of touch screen. When touch sensitive surface is touched, the controller only records the change in the current or charge or frequency of ultrasonic waves and identifies the point where you have touched.

3. Software driver - Controller identifies the point of touch and then sends it to the machine in the form of signal. But the signal which is sent by the controller cannot be understand by the machine. Therefore the software driver converts the signal in to signal which is understandable by the machine and then the machine opens that thing which you have touched.

Different types of touchscreens

1. Resistive touchscreen - This type of touchscreen consists of two glass layers. One layer is coated with the conductive material and other is coated with the resistive material. Electric current is passed through the conductive material. When the pressure is applied on the screen, both the glass layers collide and change in current is recorded by the controller and it is sent to the machine by means of software driver. Resistive screens offer limited clarity na dcan be easily damaged by sharp objects.

2. Capacitive touchscreen - This type of touchscreen is consits of a glass panel coated with charge storing material. When the screen is touched, a small amount of charge is drawn to the point of contact which is registered by the controller and sent to the machine by means of software driver. They cannot be easily damaged and clarity is much better than resistive screens.

3. Acoustic touchscreen - In this type of touchscreen, ultrasonic waves are passed over the glass panel. When the screen is touched, change in frequency of ultrasonic waves is recorded by the controller and sent to machine by means of software driver.


Nokia 7900

Posted by tech master  |  at  7:01 PM

The Nokia design department has gone extreme with the introduction of their new 7900 - and its little brother, the 7500. The 7900 has jagged edges and cuts everywhere, which give it a unique look. The surface has been etched, and you should be able to choose from 49 different colours that can be used to light up the keypad. There's a whole gigabyte of space on this OLED screen to preview your dear photos on. Perks include wallpapers that change their appearance as time passes by, and with changes in battery and signal strength. The phone should be out by the final quarter of the year, with a rumoured price of around $550.


Opera Hacks

Posted by tech master  |  at  5:05 PM

1. Fighting Ads using Opera's Filter

Ads are everywhere on almost any site you visit. Firefox may have Adblock Plus, but Opera has its own ad blocking system in place. The file urlfilter.ini in
C:\Documents and settings\Your_username\Application Data\Opera\profile
(where C:\ is the drive in which Windows is installed) contains a list of sites to be blocked. Add site addresses and wildcards such as "*" (the star) to block sites. There are several such lists available on the Internet ready for download. One such good list can be found at Just download the Opera list and copy the file to the given location or its contents to the file that already exists.

2. Modifiying Tab width range

Tabbed browsing is a boon, but the use of too many tabs in Opera causes the names to be cropped off. In Opera, you can set a limit to how small and how wide a tab can be allowed to be. Extract the skin.ini from from
C:\Program Files\Opera\skin (where C:\ is the drive in which you have installed Opera)
Open skin.ini in Notrepad and modify these lines

Pagebar max button width =
Pagebar min button width =

to suitable values. If the lines aren't present, create them and then save the file.Add the edited file back to the skin's ZIP file. Restart Opera and select skin from Tools > Appearance.

3. Adding shortcuts to execute programs

Keyboard shortucuts can be used in Opera to quickly start programs to go to a particular site. The trick is to add shortucuts to the shortcut.ini file located at C:\Documents and settings\Your_username\Application Data\ Opera\Opera\profile\keyboard. Open it in Notepad. Creating shortcuts is done in manner similar to this:G, G="Execute program, "c:\WINDOWS\Notepad.exe"

Here, typing [ G] [ G] will start Notepad. In similar manner, the path of the program can be replaced with a site url, for example, ="Execute program, "". Opera will load the site when you use the shortcuts.


Falcon Northwest DRX

Posted by tech master  |  at  5:19 PM

Now, most of us believe gaming isn't something you do on laptops. They're meant for general office work - Word, Excel, e-mail, etc.
Falcon Northwest is out to prove us wrong. The DRX has two 7950GTX cards in SLI, and the processor driving them is a Core 2 Duo X6800 @2.93 GHz. Shocked yet? The rest of the specs go thus: the 17-inch screen does a resolution of 1920 x 1200, something you normally find on 24-inch monitors. Three hard drives are provided - a 100 GB 7200 rpm for performance, and two 160 GB 5400 rpm ones for mass storage. A TV-Tuner and four speakers are built in as well. Surely all this must be really expensive - well over the $3000 mark? Actually, it's close to more than twice that: $7687.


Instant messengers tricks

Posted by tech master  |  at  4:51 PM

Yahoo messenger trick

If you ever think that someone is avoiding you by signing in as invisible. There is a way to find out whether a person is online or not.

You can find it by using Doodle IMvironment. Start an offline conversation with the contact and send them a dummy message. If they're actually online, this should open a conversation window on their machine.

Now, select the Doodle IMvironment from IMvironment > See All IMvironments > Yahoo Tools. If your contact is really offline, you'll see "Waiting for friend to load Doodle" for a really long time. If, however, your contact is online, the IMvironment should load in less than a minute and let you draw.

Google talk trick

1.Run google talk with multiple email addresses

To run google talk with multiple email addresses, first create one copy of google talk shortcut on your desktop - leave the original intact. Right click on this shortucut and select Properties. The Target text box will show you the path of the EXE for Google talk - something like

Change this to
"C:\ProgramFiles\Google\GoogleTalk\googletalk.exe" /nomutex

You're done. Now you can run google talk with multiple email addresses.

You can also run yahoo messenger with multiple email addresses. I have posted this trick - how to run yahoo messenger with multiple with multiple email addresses in my earlier posts. Click here to read it.

2. Formatting text in Google talk

To type in bold, enclose the text within asterisks (*hi* = hi), to type in italics, enclose the text within underscores (_hi_ = hi)


What they says

Copyright © 2013 Techsense. WP Theme-junkie converted by BloggerTheme9
Blogger template. Proudly Powered by Blogger.| Distributed by Rocking Templates
back to top