Need info and to Capture intruding IP 2

[lifesupport]

How do I capture the IP of an intruder on my home machine?
This intruder is able to determine the moment I go on the web. How is he able to do this? I have Norton Protectin Center installed on my machine.

Thanks

 

[tfg13]

There are a couple questions that should be asked.

How were you able to determine that your home machine was hacked? What type of things are happening that make you think you've been hacked?

As far as knowing for sure, try looking at the following. It will give you some steps to take to determine if there is something actually happening:

http://www.sans.org/resources/winsacheatsheet.pdf

Once you have determined what is going on, and to ensure a clean PC, looke at some of the suggestions in:

forum760

 

[eyec]

try installing Zone Alarm's firewall and only allow access to your home machine(s). it will capture all IPs in the log file.

 

[lifesupport]

It was/is a neighbor. I may still have a trojan on my machine. They were eavesdropping on conversations in my house and sending prank calls and computer spam on that very topic. They were reading my email and doing the same making sure I was aware of what was happening. It was easy for them to eavesdrop on my email because the company I was with forced the customer to use their name as part of the email and they never allowed you to change the main email address.

These are good suggestions - thanks. I had zoan alarm on both machines, but didn't know it kept a log of IPs, so I can check this. I'm wondering if the IP would show if this was done via trojan? At one point they were interferring with my work by freezing my machine. I had wall watcher installed and opened it up and immediately the freezing stopped and never happened again, but wall watcher never captured the IP. How are they able to determine when I connect to the web - thru a trojan?

 

[tfg13]

There are a couple different explanations for the actions that have occured.

1. The neighbor is not the culprit, but being used by the real "cracker", and you've been infected by malware, either trojan, or other malware that announces your presence on a network.

2. It is your neighbor, and you've been infected by malware, either trojan, or other malware that announces you presence on a network.

If it is your neighbor, it will be difficult to determine exactly what it is that infected your computer, as it could be custom malware (written by your neighbor) that anti-virus/malware companies are not aware of.

I am not a lawyer, and make no claim to be versed in law, but you may want to seek law enforcement assistance on this. Specifically, the cyber crime portion of your local law enforcement. They will be able to determine exactly who is doing what, and how they are doing it. This can get you far more headway, then finding out what the IP is, as it is easy to mask/hide the real IP of the "offender".

One thing you can try, and I believe it states this in the SANS site I posted earlier, is to just do a netstat. Depending on your operating system, there are more "options" that you can use with netstat that will show you more than just "who you are connected to".

 

[lifesupport]

Thanks again for your help. I'll do the netstat as you suggested as well as contact athorities.

 

[eyec]

is your router wireless capable and if so do you have it locked down and not broadcasting? this is an easy way to get into a system.

 

[burtsbees]

Wire Shark. That will give you the tcp/udp ports the attacker is coming through. I myself am not into going the law enforcement way---I say Eye for and eye...ha ha.

Burt

 

[tfg13]

burtsbees, although I myself would like to do the same thing, eye for an eye per say, I cannot ask someone to do the same. Personally, I think it is always better to CYA (Cover Your A$$) when it comes to this sort of thing.