To compromise a computer system by breaking the security of
such a system or causing it to enter into an insecure state. The act of
intruding—or gaining unauthorized access to a system—typically leaves traces
that can be discovered by intrusion
detection systems. One of the goals of intruders is to remain undetected
for as long as possible so that they can continue with their malicious activity
Security professionals need to take steps when a system
breach is suspected. First, suspicious accounts should be disabled immediately.
Then, the suspicious accounts need to be reviewed to assess who set up the
account and for what reasons. Because audit logs
will indicate who created the account, finding the time and date on which the
account was created will be very useful information. If the account is the
outcome of a crack attack, the system reviewer will have a
particular time frame in which to determine whether other audit log events are
If the reviewer wants to determine whether a suspicious
application is indeed being used by a cracker to listen for incoming
connections—a potential “back door”
into the system—the reviewer is well advised to consider using a tool such as
TCPView. The TCPView tool will tell the system reviewer what applications are
using open system ports. Because crackers can put Trojan horses in place of the
netstat and Isof programs, the reviewer should scan the attacked system from a
different computer. This feat can be accomplished by using a service such as
the free insecure.org nmap port scanner.
Malware can also be triggered from the operating system’s
job scheduler. A system reviewer can see what jobs—legitimate or otherwise—are
scheduled to be executed in the system by typing AT at the command prompt.
Audit Trail; Back or Trap Door; Cracking; Exploit; Log; Malware;
Vulnerabilities of Computers.
Haberstetzer, V. Thwarting Hacker Techniques: Signs of a Compromised System.
[Online, March 21, 2005.] TechTarget Website.