Results 1 to 12 of 12

Trace hacker

  1. #1
    Platinum Member Mr.Tooth Fairy's Avatar
    Join Date
    Aug 2008

    Default Trace hacker

    Tracing A Hacker
    ## Connections make the world go round ##

    The computer world, at any rate. Every single time you open up a
    website, send an email or upload your webpages into cyberspace, you are
    connecting to another machine in order to get the job done. This, of
    course, presents a major problem, because this simple act is what
    allows malicious users to target a machine in the first place.

    # How do these people find their victim?

    Well, first of all, they need to get hold of the victim's IP Address.
    Your IP (Internet Protocol) address reveals your point of entry to the
    Internet and can be used in many ways to cause your online activities
    many, many problems. It may not reveal you by name, but it may be
    uniquely identifiable and it represents your digital ID while you are
    online (especially so if you're on a fixed IP / DSL etc).

    With an IP address, a Hacker can find out all sorts of weird and
    wonderful things about their victim (as well as causing all kinds of
    other trouble, the biggest two being Portnukes/Trojans and the dreaded
    DoS ((Denial of Service)) attack). Some Hackers like to collect IP
    Addresses like badges, and like to go back to old targets, messing them
    around every so often. An IP address is incredibly easy to obtain -
    until recently, many realtime chat applications (such as MSN) were
    goldmines of information. Your IP Address is contained as part of the
    Header Code on all emails that you send and webpages that you visit can
    store all kinds of information about you. A common trick is for the
    Hacker to go into a Chatroom, paste his supposed website address all
    over the place, and when the unsuspecting victim visits, everything
    about your computer from the operating system to the screen resolution
    can be logged...and, of course, the all important IP address. In
    addition, a simple network-wide port scan will reveal vulnerable target
    machines, and a war-dialler will scan thousands of lines for exposed
    modems that the hacker can exploit.

    So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine?

    ## Virtual and Physical Ports ##

    Everything that you recieve over the Internet comes as a result of
    other machines connecting to your computer's ports. You have two types;
    Physical are the holes in the back of your machine, but the important
    ones are Virtual. These allow transfer of data between your computer
    and the outside world, some with allocated functions, some without, but
    knowing how these work is the first step to discovering who is
    attacking you; you simply MUST have a basic knowledge of this, or you
    won't get much further.

    # What the phrases TCP/UDP actually mean

    TCP/IP stands for Transmission Control Protocol and Internet Protocol,
    a TCP/IP packet is a block of data which is compressed, then a header
    is put on it and it is sent to another computer (UDP stands for User
    Datagram Protocol). This is how ALL internet transfers occur, by
    sending packets. The header in a packet contains the IP address of the
    one who originally sent you it. Now, your computer comes with an
    excellent (and free) tool that allows you to see anything that is
    connected (or is attempting to connect) to you, although bear in mind
    that it offers no blocking protection; it simply tells you what is
    going on, and that tool is NETSTAT.

    ## Netstat: Your first line of defence ##

    Netstat is a very fast and reliable method of seeing exactly who or
    what is connected (or connecting) to your computer. Open up DOS
    (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS
    Prompt, type:

    netstat -a

    (make sure you include the space inbetween the "t" and the "a").

    If you're connected to the Internet when you do this, you should see something like:

    Active Connections

    Proto Local Address Foreign Address State

    TCP macintosh: 20034 50505 ESTABLISHED

    TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT




    Now, "Proto(col)" simply means what kind of data transmission is taking
    place (TCP or UDP), "Local address" is your computer (and the number
    next to it tells you what port you're connected on), "Foreign Address"
    is the machine that is connected to you (and what port they're using),
    and finally "State" is simply whether or not a connection is actually
    established, or whether the machine in question is waiting for a
    transmission, or timing out etc.

    Now, you need to know all of Netstat's various commands, so type:

    netstat ?

    You will get something like this:

    Displays protocol statistics and current TCP/IP network connections.

    NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

    -a Displays all connections and listening ports.

    -e Displays Ethernet statistics. This may be combined with the -s option.

    -n Displays addresses and port numbers in numerical form.

    -p proto Shows connections for the protocol specified by proto; proto
    may be TCP or UDP. If used with the -s option to display per-protocol
    statistics, proto may be TCP, UDP, or IP.

    -r Displays the routing table.

    -s Displays per-protocol statistics. By default, statistics are shown
    for TCP, UDP and IP; the -p option may be used to specify a subset of
    the default.

    Have a play around with the various options, but the most important use
    of these methods is when you combine them. The best command to use is

    netstat -an

    because this will list all connections in Numerical Form, which makes
    it a lot easier to trace malicious users....Hostnames can be a little
    confusing if you don't know what you're doing (although they're easily
    understandable, as we shall see later). Also, by doing this, you can
    also find out what your own IP address is, which is always useful.


    netstat -b

    will tell you what ports are open and what programs are connecting to the internet.

    ## Types of Port ##

    It would be impossible to find out who was attacking you if computers
    could just access any old port to perform an important function; how
    could you tell a mail transfer from a Trojan Attack? Well, good news,
    because your regular, normal connections are assigned to low, commonly
    used ports, and in general, the higher the number used, the more you
    should be suspicious. Here are the three main types of port:

    # Well Known Ports These run from 0 to 1023, and are bound to the
    common services that run on them (for example, mail runs on channel 25
    tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find
    one of these ports open (and you usually will), it's usually because of
    an essential function.

    # Registered Ports These run on 1024 to 49151. Although not bound to a
    particular service, these are normally used by networking utilities
    like FTP software, Email client and so on, and they do this by opening
    on a random port within this range before communicating with the remote
    server, so don't panic (just be wary, perhaps) if you see any of these
    open, because they usually close automatically when the system that's
    running on them terminates (for example, type in a common website name
    in your browser with netstat open, and watch as it opens up a port at
    random to act as a buffer for the remote servers). Services like MSN
    Messenger and ICQ usually run on these Ports.

    # Dynamic/Private Ports Ranging from 49152 to 65535, these things are
    rarely used except with certain programs, and even then not very often.
    This is indeed the usual range of the Trojan, so if you find any of
    these open, be very suspicious. So, just to recap:

    Well Known Ports 0 to 1023 Commonly used, little danger.

    Registered Ports 1024 to 49151 Not as common, just be careful.

    Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.

    ## The hunt is on ##

    Now, it is essential that you know what you're looking for, and the
    most common way someone will attack your machine is with a Trojan. This
    is a program that is sent to you in an email, or attempts to bind
    itself to one of your ports, and when activated, it can give the user
    your passwords, access to your hard drive...they can even make your CD
    Tray pop open and shut. At the end of this Document, you will find a
    list of the most commonly used Trojans and the ports they operate on.
    For now, let's take another look at that first example of Netstat....

    Active Connections

    Proto Local Address Foreign Address State

    TCP macintosh: 27374 50505 ESTABLISHED

    TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT




    Now, straight away, this should make more sense to you. Your computer
    is connected on two ports, 80 and 27374. Port 80 is used for http/www
    transmissions (ie for all intents and purposes, its how you connect to
    the net, although of course it's a lot more complicated than that).
    Port 27374, however, is distinctly suspicious; first of all, it is in
    the registered port range, and although other services (like MSN) use
    these, let's assume that you have nothing at all running like instant
    messengers, webpages're simply connected to the net through
    proxy. So, now this connection is looking even more troublesome, and
    when you realise that 27374 is a common port for Netbus (a potentially
    destructive Trojan), you can see that something is untoward here. So,
    what you would do is:

    1) run Netstat , and use:

    Netstat -a


    Netstat -an

    So you have both Hostnames AND IP addresses.

    ## Tracerouting ##

    Having the attacker's IP is all well and good, but what can you do with
    it? The answer is, a lot more! It's not enough to have the address, you
    also need to know where the attacker's connections are coming from. You
    may have used automated tracerouting tools before, but do you jknow how
    they work?

    Go back to MSDOS and type

    tracert *type IP address/Hostname here*

    Now, what happens is, the Traceroute will show you all the computers
    inbetween you and the target machine, including blockages, firewalls
    etc. More often than not, the hostname address listed before the final
    one will belong to the Hacker's ISP Company. It'll either say who the
    ISP is somewhere in there, or else you run a second trace on the new
    IP/hostname address to see who the ISP Company in question is. If the
    Hostname that you get back doesn't actually seem to mention an actual
    geographical location within its text, you may think all is lost. But
    fear not! Suppose you get a hostname such as

    Well, that tells us nothing, right? Wrong....simply enter the hostname
    in your browser, and though many times you will get nothing back,
    sometimes it will resolve to an ISP, and from there you can easily find
    out its location and in what areas they operate. This at least gives
    you a firm geographical location to carry out your investigations in.

    If you STILL have nothing, as a last resort you COULD try connecting to
    your target's ISP's port 13 by Telnet, which will tell you how many
    hours ahead or behind this ISP is of GMT, thus giving you a
    geographical trace based on the time mentioned (although bear in mind,
    the ISP may be doing something stupid like not having their clocks set
    correctly, giving you a misleading trace. Similarly, a common tactic of
    Hackers is to deliberately have their computer's clock set to a totally
    wrong time, so as to throw you off the scent). Also, unless you know
    what you're doing, I wouldn't advise using Telnet (which is outside the
    parameters of this tutorial).

    ## Reverse DNS Query ##

    This is probably the most effective way of running a trace on somebody.
    If ever you're in a chatroom and you see someone saying that they've
    "hacked into a satellite orbiting the Earth, and are taking pictures of
    your house right now", ignore them because that's just bad movie
    nonsense. THIS method is the way to go, with regard to finding out what
    country (even maybe what State/City etc) someone resides, although it's
    actually almost impossible to find an EXACT geographical location
    without actually breaking into your ISP's Head Office and running off
    with the safe.

    To run an rDNS query, simply go back to MS-DOS and type


    and hit return. Any active connections will resolve to hostnames rather than a numerical format.

    # DNS

    DNS stands for Domain Name Server. These are machines connected to the
    Internet whose job it is to keep track of the IP Addresses and Domain
    Names of other machines. When called upon, they take the ASCII Domain
    Name and convert it to the relevant numeric IP Address. A DNS search
    translates a hostname into an IP address....which is why we can enter
    "" and get the website to come up, instead of having to
    actually remember Hotmail's IP address and enter that instead. Well,
    Reverse DNS, of course, translates the IP Address into a Hostname (ie -
    in letters and words instead of numbers, because sometimes the Hacker
    will employ various methods to stop Netstat from picking up a correct

    So, for example, is NOT a Hostname. IS a Hostname.

    Anyway, see the section at the end? (au) means the target lives in
    Australia. Most (if not all) hostnames end in a specific Country Code,
    thus narrowing down your search even further. If you know your target's
    Email Address (ie they foolishly sent you a hate mail, but were silly
    enough to use a valid email address) but nothing else, then you can use
    the Country codes to deduce where they're from as well. You can also
    deduce the IP address of the sender by looking at the emails header (a
    "hidden" line of code which contains information on the sender)...on
    Hotmail for example, go to Preferences, and select the "Full Header's
    Visible" option. Alternatively, you can run a "Finger" Trace on the
    email address, at:

    Plus, some ISP's include their name in your Email Address with them too
    (ie Wanadoo, Supanet etc), and your Hacker may be using an email
    account that's been provided by a Website hosting company, meaning this
    would probably have the website host's name in the email address (ie
    Webspawners). So, you could use the information gleaned to maybe even
    hunt down their website (then you could run a website check as
    mentioned previously) or report abuse of that Website Provider's Email
    account (and thus, the Website that it goes with) to

    If your Hacker happens to reside in the USA, go to:

    for a complete list of US State abbreviatons.

    ## List of Ports commonly used by Trojans ##

    Please note that this isn't a complete list by any means, but it will
    give you an idea of what to look out for in Netstat. Be aware that some
    of the lower Ports may well be running valid services.

    UDP: 1349 Back Ofrice DLL

    31337 BackOfrice 1.20

    31338 DeepBO

    54321 BackOfrice 2000

    TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash

    23 Tiny Telnet Server

    25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30

    31 Hackers Paradise

    80 Executor

    456 Hackers Paradise

    555 Ini-Killer, Phase Zero, Stealth Spy

    666 Satanz Backdoor

    1001 Silencer, WebEx

    1011 Doly Trojan

    1170 Psyber Stream Server, Voice

    1234 Ultors Trojan

    1243 SubSeven 1.0 - 1.8

    1245 VooDoo Doll

    1492 FTP99CMP

    1600 Shivka-Burka

    1807 SpySender

    1981 Shockrave

    1999 BackDoor 1.00-1.03

    2001 Trojan Cow

    2023 Ripper

    2115 Bugs

    2140 Deep Throat, The Invasor

    2801 Phineas Phucker

    3024 WinCrash

    3129 Masters Paradise

    3150 Deep Throat, The Invasor

    3700 Portal of Doom

    4092 WinCrash

    4567 File Nail 1

    4590 ICQTrojan

    5000 Bubbel

    5000 Sockets de Troie

    5001 Sockets de Troie
    5321 Firehotcker

    5400 Blade Runner 0.80 Alpha

    5401 Blade Runner 0.80 Alpha

    5402 Blade Runner 0.80 Alpha

    5400 Blade Runner

    5401 Blade Runner

    5402 Blade Runner

    5569 Robo-Hack

    5742 WinCrash

    6670 DeepThroat

    6771 DeepThroat

    6969 GateCrasher, Priority

    7000 Remote Grab

    7300 NetMonitor

    7301 NetMonitor

    7306 NetMonitor

    7307 NetMonitor

    7308 NetMonitor

    7789 ICKiller

    8787 BackOfrice 2000

    9872 Portal of Doom

    9873 Portal of Doom

    9874 Portal of Doom

    9875 Portal of Doom

    9989 iNi-Killer

    10067 Portal of Doom

    10167 Portal of Doom

    10607 Coma 1.0.9

    11000 Senna Spy

    11223 Progenic trojan

    12223 Hack?99 KeyLogger

    12345 GabanBus, NetBus

    12346 GabanBus, NetBus

    12361 Whack-a-mole

    12362 Whack-a-mole

    16969 Priority

    20001 Millennium

    20034 NetBus 2.0, Beta-NetBus 2.01

    21544 GirlFriend 1.0, Beta-1.35

    22222 Prosiak

    23456 Evil FTP, Ugly FTP

    26274 Delta

    30100 NetSphere 1.27a

    30101 NetSphere 1.27a

    30102 NetSphere 1.27a

    31337 Back Orifice

    31338 Back Orifice, DeepBO

    31339 NetSpy DK

    31666 BOWhack

    33333 Prosiak

    34324 BigGluck, TN

    40412 The Spy

    40421 Masters Paradise

    40422 Masters Paradise

    40423 Masters Paradise

    40426 Masters Paradise

    47262 Delta

    50505 Sockets de Troie

    50766 Fore

    53001 Remote Windows Shutdown

    54321 SchoolBus .69-1.11

    61466 Telecommando

    65000 Devil

    ## Summary ##

    I hope this tutorial is useful in showing you both how to secure
    yourself against unwanted connections, and also how to determine an
    attacker's identity. The Internet is by no means as anonymous as some
    people think it is, and although this is to the detriment of people's
    security online, this also works both IS possible to find
    and stop even the most determined of attackers, you just have to be
    patient and keep hunting for clues which will help you put an end to
    their exploits.
    Am just the dreamer,,,, I dream my life away..:confused::confused:

  2. #2
    Join Date
    Jul 2008


    nice work thanks

  3. #3
    Platinum Member Mr.Tooth Fairy's Avatar
    Join Date
    Aug 2008


    welcome! saumik.. if i remember your name properly
    Am just the dreamer,,,, I dream my life away..:confused::confused:

  4. #4
    Join Date
    Aug 2007

  5. #5
    Join Date
    Jul 2008


    Quote Originally Posted by milan View Post
    welcome! saumik.. if i remember your name properly
    thanks but its soumik milan!!

  6. #6
    Guardian Angel just4kix's Avatar
    Join Date
    Dec 2007


    Good information. But I will suggest that you make your headings bold or underlined or both and break down long paragraphs. Also remove extra blank lines.

    Given repo points to you.
    *** Never argue with an idiot. ***

    All my useful articles and Guides | My DVDs | My Blu-Rays | My Blogs

  7. #7


    Milan do you know Ankit Fadia ??

  8. #8
    Platinum Member Mr.Tooth Fairy's Avatar
    Join Date
    Aug 2008


    @shadowcon i have heard of him.. can u pl tell me more detailes of him.. in what field.. and where... about ankit fadia.........

    @kixxi.. thanks a lot.. for atleast appretiating my work.. but my rep power stull 1!!. checked forum stats it says 3/5 somethin.. can u plz tell wats it?? how it changes and all.. take care
    Last edited by Mr.Tooth Fairy; 20th September 2008 at 08:28 PM. Reason: Automerged Doublepost
    Am just the dreamer,,,, I dream my life away..:confused::confused:

  9. #9
    Guardian Angel just4kix's Avatar
    Join Date
    Dec 2007


    I don't know how rep power works. Each time someone adds reputation, 1 point is added. Admin can give as many points as he likes.

    Also, once you give repo points to someone, you cannot give repo points to the same person for some time.
    *** Never argue with an idiot. ***

    All my useful articles and Guides | My DVDs | My Blu-Rays | My Blogs

  10. #10
    Platinum Member Mr.Tooth Fairy's Avatar
    Join Date
    Aug 2008


    i will do the editing.. but i dont find any option to edit.. how to edit this post now?? i have to go to my subscribed thread or user cp?? pl tell

    thanks kixxi.. i will ask admin only for rep points...
    Last edited by Mr.Tooth Fairy; 20th September 2008 at 08:33 PM. Reason: Automerged Doublepost
    Am just the dreamer,,,, I dream my life away..:confused::confused:

  11. #11
    Guardian Angel just4kix's Avatar
    Join Date
    Dec 2007


    Forget this post for now for editing. Just remember next time.
    *** Never argue with an idiot. ***

    All my useful articles and Guides | My DVDs | My Blu-Rays | My Blogs

  12. #12
    Platinum Member Mr.Tooth Fairy's Avatar
    Join Date
    Aug 2008


    k kixxi budy as u say.. after all " guardian angel"
    Am just the dreamer,,,, I dream my life away..:confused::confused:

Similar Threads

  1. Process Hacker! by
    By Pistole_lachen in forum Windows
    Replies: 0
    Last Post: 6th March 2012, 11:17 PM
  2. Calling all techies.... need help with trace routes...
    By Admin in forum Suggestions and Complaints
    Replies: 5
    Last Post: 1st February 2010, 09:49 PM
  3. Ways by which Hacker Can Get Into Your Computer
    By rajkumarvats in forum Computer Security
    Replies: 5
    Last Post: 20th August 2009, 03:42 PM
  4. Visual Trace Routing of any domain from your PC
    By vikramjb in forum DSL Broadband Service Providers
    Replies: 7
    Last Post: 10th February 2009, 09:27 PM
  5. trace tv
    By lamda11 in forum Dish tv
    Replies: 0
    Last Post: 24th October 2008, 12:44 PM