To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state. The act of intruding—or gaining unauthorized access to a system—typically leaves traces that can be discovered by intrusion detection systems. One of the goals of intruders is to remain undetected for as long as possible so that they can continue with their malicious activity undisturbed.
Security professionals need to take steps when a system breach is suspected. First, suspicious accounts should be disabled immediately. Then, the suspicious accounts need to be reviewed to assess who set up the account and for what reasons. Because audit logs will indicate who created the account, finding the time and date on which the account was created will be very useful information. If the account is the outcome of a crack attack, the system reviewer will have a particular time frame in which to determine whether other audit log events are “of interest.”
If the reviewer wants to determine whether a suspicious application is indeed being used by a cracker to listen for incoming connections—a potential “back door” into the system—the reviewer is well advised to consider using a tool such as TCPView. The TCPView tool will tell the system reviewer what applications are using open system ports. Because crackers can put Trojan horses in place of the netstat and Isof programs, the reviewer should scan the attacked system from a different computer. This feat can be accomplished by using a service such as the free insecure.org nmap port scanner.
Malware can also be triggered from the operating system’s job scheduler. A system reviewer can see what jobs—legitimate or otherwise—are scheduled to be executed in the system by typing AT at the command prompt.
Haberstetzer, V. Thwarting Hacker Techniques: Signs of a Compromised System. [Online, March 21, 2005.] TechTarget Website. http://searchsecurity.techtarget.com/tip/ 0,289483,sid14_gci1069097,00.html?track=NL-35.