The following describes how to detect hacker intrusion when there is no intrusion detection system. Hacker intrusion features generally come from the following four aspects. If a hacker intrude into the system, you can find the intrusion traces in the following four aspects.
There are many hacker intrusion methods, and the symptoms and features of computers after being intruded are different. Hacker intrusion has two purposes. One is to steal data and intelligence and the privacy of others. Such attacks have no obvious impact on the compromised computer system, it may take a while before being noticed. Another type of attacks are aimed at damaging the functions of computer systems. intrusion into computer systems often result in inexplicable faults, which are characteristic of obvious attacks.
1. system and network log files
Hackers often leave traces in System Log Files. Therefore, making full use of system and network log file information is a necessary condition for detecting intrusion. Logs record evidence of unusual and undesirable activities occurring on the system and network, which can indicate that someone is intruding or has successfully intruded into the system. By viewing log files, you can find successful intrusion or intrusion attempts.
Log Files record various behavior types, and each type contains different information, for example, logs that record the "user activity" type include logon, user ID change, user access to files, authorization and authentication information. Abnormal or unexpected behaviors refer to repeated logon failures, unexpected logon locations, and unauthorized access attempts. Log files are also the most information left by hackers. Therefore, you must always check your log files and promptly discover suspicious behavior records.
2. Abnormal changes in directories and files
File Systems in the network environment contain a lot of software and data files. files containing important information and private data are often the targets of hacker repair and destruction. If unexpected changes (including modification, creation, modification, or deletion) occur in directories and files, especially those that normally restrict access, it is probably an indication and signal generated by intrusion.
Hackers often replace and access system files. At the same time, they try their best to replace system programs or modify system log files to hide traces of activity in the system. This requires us to be familiar with our own file system and check the changes in system directory files or important data directory files. It is recommended that you have relevant records so that if any changes occur, You can infer whether the system has been intruded.
3. undesirable behavior during Program Execution
Programs running on network systems generally include operating systems, network services, user-initiated programs, and specific applications, such as database servers. Each Program executed on the system is generally implemented by one or more processes, and each process runs in an environment with different permissions, the execution behavior of a process is represented by the operations executed during the running process. The system resources used vary depending on the operation methods. Operations include data computing, file transmission, and inter-network communication.
When a process encounters unexpected behavior, it may indicate that hackers are intruding your system. Hackers may break down programs or services to cause them to fail or run them in violation of the user or administrator's intention. Sometimes the system becomes unstable or inexplicably crashes, or the processing speed is reduced. As long as we can pay attention to it, it is easy to find such doubts. Of course, there are many other factors that will lead to this phenomenon, so the specific problem should be analyzed in detail.
4. physical intrusion information
This includes two aspects: Unauthorized network hardware connection and unauthorized access to physical resources.
In general, hackers will find ways to break through the perimeter defense of the network. If they can physically access the Intranet, they can install their own devices and software. These devices or software are the Backdoors that hackers intrude into. Hackers can freely access the network from here.
This type of intrusion generally finds suspicious network device connections. In addition, hackers may also use the electromagnetic leakage of network devices to steal information or intrude into the system, this kind of device may not be directly physically connected to the system device.
In addition, hackers can also find "insecure" devices added by users on the Internet, and then use these devices to access the network. For example, a user may install a Modem at home to facilitate remote access to the computer in the office. In this case, a hacker may use an automatic identification tool to find a Modem connected to a telephone line. A dial-up access data is automatically identified, so hackers can find the Modem and use the backdoor to access the Intranet in which the office is located, in this way, the firewall of the office network is crossed. Next, hackers can capture network data streams, steal information, and attack systems. The breakthrough cause of this intrusion lies in the abnormal use of network devices. For the remote attack instance described above, we can find suspicious connections in our phone list.