Monday, August 18, 2014

Backtrace A Hackers Keylogger or Rat

Have you been infected with a RAT or a Keylogger and want to find out who your attacker is? Almost all Keyloggers and RATs send information to the hacker via 2 methods. In this tutorial we will explain how to find out who they are using a program called Wireshark.
There are 2 ways an attacker can receive your information. Emails and FTP servers. You must undertstand how this works first.
By Email: The hacker configures his malware and while configuring the virus server, the hack has to input which email address to send the stolen information.
By FTP server: Much like the email method, except instead of configuring an email to send your infomation to they have an FTP server that recieves your information. Usually both methods have text logs of your keystroke activity once you have been infected.
If we monitor all data packets we can scan for one of the methods and we will have the hackers FTP info or his email address.
Wireshark is a very useful and popular network scanning tool that is used by network forensic experts to monitor the incoming and outgoing packet flow of their network cards like Ethernet or WLAN. It records every packet coming and going out of your Network.
Whenever you think you may be infected, follow the steps below to find out if and who has infected you.
Step 1

1. First of all download and install Wireshark. You can find it HERE.
Note: While Wireshark installing please ensure that it installs Winpcap otherwise it won't work correctly.

2. Now go to the "Capture" button in the top menu of Wireshark and select the interface.

3. It will  capture the packets through the Network card. What you have to do is keep capturing the records for at least an hour for maximum results.

4. Now you should filter the results. Go to the filter box and type FTP and SMTP. If one doesn't work, try the other as the hacker could be using either.

5. Scroll down to find the “FTP username” and the “Password” for victims ftp account in case FTP server is used. And if hacker has used SMTP then you will also find "email address" and its "password" that the hacker used to create the malicious server that infected you.

Thats it! You have found the hacker. Note: More advanced hacker will have other methods of securing themselves. This may not always work, but is a great first step for backtracing and catching a hacker who has infected your system.

5 comments:

  1. “… Those who are preventing or delaying such a strike are friends of terrorists and virtual allies of Israel.”
    louis vuitton issues http://www.gumrukmusavirligi.net/FolderGallery/cheapbags/index.asp

    ReplyDelete
  2. Hey there, You have done a fantastic job. I will
    certainly digg it and personally suggest to my friends.
    I'm confident they'll be benefited from this website.

    Feel free to surf to my blog post :: Knight n squires hack

    ReplyDelete
  3. destinia hack

    My web site; swamp attack cheats (Lilly)

    ReplyDelete
  4. We have made the decision to open our POWERFUL and PRIVATE website traffic system to the public for just a few days! You can sign up for our UP SCALE network with a free trial as we get started with the public's orders. Imagine how your bank account will look when your website gets the traffic it deserves. Visit us today: http://www.jpdom.nu/k

    ReplyDelete
  5. The blog was absolutely fantastic! Lot of great information which can be helpful in some or the other way. F5 ASM Training | F5 LTM Training

    ReplyDelete