There are 18 victims of cyber attacks per second , 30,000 hacked websites a day, 6000 new viruses a month, and 87 days to realize that we have been hacked.

I do not think I need to remind you that cyber threats are to be taken very seriously. Not only must you be proactive and do your utmost to avoid being hacked, but you must be reactive and know how to immediately detect a problem. This is the purpose of this article.

Here are some of the signs that should put you in the dark about potential hacking.

Direct signs of hacking

These signs should put you in an emergency situation . Here are the main ones:

  • Account suddenly inaccessible (using the usual password)
  • Hadopi’s e-mail without having made a crime
  • Mouse cursor or graphic elements that move “on their own
  • Live message from hacker or malware (but beware of blackmail, see below for “false signs of hacking”)
  • Encrypted files ( ransomware )
  • Unauthorized and / or unknown purchases via one of your bank accounts
  • Unusual activities on an account such as a publication on your behalf (ex: on Facebook )

Indirect signs of piracy

These signs are not necessarily obvious to spot and do not necessarily mean that there has been hacking . Here are the main ones:

  • Suspicious account access (generated alert email)
  • Computer suddenly slow at startup
  • E-mails marked as read without having read them
  • Click on a program that has no effect or leads to an error
  • Deleted, moved, renamed files

I have an anecdote to tell you about the e-mail reporting a “suspicious connection” generated by Facebook .

You can imagine the stress this email provides when you’re not on your computer, you’ve never been to Spain, and you do not know anyone there.

So I try to remember the last place of connection, and what I could do to give my password so easily, but I can not find any leads .

Then I decide to check that the proximity indicated by Facebook is correct . By clicking on “Check Connection”, I can read the IP address. I hasten to make a traceroute to see if the connection comes from Spain. And as soon as the resolution of the IP address in host name (name of a machine connected to the Internet), I discover that it is the IP address of the University of Strasbourg where I connected well the same morning, in France and 2000 km from Almeria ! The e-mail took a lot of time to send me, distorting the timing, in addition to the geolocation problem.

Here is a proof that the location of the IP address is not always accurate, and here is also why you sometimes get connection locations far away from home . And that’s not to mention the connections via 3G / 4G / EDGE / etc with your smartphone that go through the IP addresses of the provider, so in other cities / regions than yours .

My anecdote can reassure you at this level even if a suspicious connection can really be , especially if the IP address comes from another city and you have no reason to think that it is a legitimate connection .

To do a traceroute on Windows , do the following:

  • Press the Windows and R keys simultaneously.
  • Type “cmd.exe” and then press Enter.
  • Type “tracert <IP ADDRESS>”

On Linux and Mac , it is the “traceroute” command after installing the corresponding package if it is not installed by default:

  sudo apt-get install traceroute 

Observe the paths taken by the packets (information about the crossed cities is displayed)

Here packets go from Strasbourg to Amsterdam, so the IP address in question comes from Strasbourg.

False signs of piracy

Following many emails and comments about an email from a “hacker” said to have hacked your accounts and accessed your webcam to film you without your knowledge to ask you a ransom on pain of dissemination videos: this is a blackmail to make you pay for something that has not happened. You have not been hacked.

The message contains a lot of variations, but usually says:

“You do not know me and you wonder why you receive this e-mail […] I set up a virus on an adult site (porn) […] and you visited this site to have fun […] ] While you were watching videos, my software put a virus on your computer and filmed you through your webcam […] I created a double-screen video, the first part shows the video you were watching, the other shows your webcam […] Please buy bitcoins and pay me under penalty of broadcasting videos […] I guarantee that I will not bother you later “.

Many articles already speak on the Internet, on pcastuces, on zataz, etc … I will not make it yet another article but I wanted to reassure you. Initially, this mail was in English (and was already sent a few years ago! Sometimes it was vaguely translated into French, but now the French-speaking pirates took over …)

How to be sure that it is not true?

Well, it would be in the pirate’s interest to provide you with even minimal evidence to make you pay in a safe way. However, the fact that your password is in the the mail is not sufficient proof , and the fact that the email comes from your own e-mail address is also not sufficient evidence (it is rather a problem with the e-mail provider used …).

How to know if you are hacked in 6 steps

Here are now 6 investigation steps that will allow you to know for sure if you are hacked. I will do an example simulation at the same time.

1. Observe network activity of programs

Usually, malicious software will seek to communicate with the outside world, either to receive orders or to send information stolen remotely.

The problem is that a lot of software also communicate, and legitimately . We will have to quickly understand the network activity and know how to extract the content that interests us.

For this, you can install TcpView , and launch it to observe the programs on your computer that communicate with the outside:

Obviously, a program that appears to be a virus has made a network connection with the following remote address:

By taking a look at , we see that the address belongs to Microsoft :

But what is Microsoft doing here?

In fact, in the column “Remote Port”, we distinguish “smtp”, that is to say that the program in question has just sent an email probably using a Microsoft account.

There are various reasons (malicious or not) to send an email, a keylogger could for example send your personal information to a hacker.

2. Observe the history of downloaded files

This is the first thing to do if you suspect a program is causing hacking. The history of downloaded files is usually accessible via the web browser . The latter normally retains the download date and the place where the program was stored on the computer.

If you spot a suspicious program, do not delete it immediately , but scan it via VirusTotal and / or Malwr:

Bingo, this is a keylogger:

3. Track a hacker

Hackers, or rather “hackers” are not always as smart as we think. Some use the tools of others without even knowing how they work. This suits us well, because we can potentially find the author of a malicious program, provided we have already identified the program in question.

In this case, we can find the coordinates of the pirate … in his own program.

4. Observe the logs

Logs are automatic records of the state of certain software, or the system. For example, if a software starts to crash, a message will probably be written in the logs indicating the time of the crash and perhaps the reason for it.

Logs do not only log error messages, but contain other important information , such as computer boot time, installed programs, launched programs … etc.

So, to a certain extent, you can re-show in the history of the computer . I have already spoken several times about the program that does this very well: LastActivityView .

Re-Bingo, it seems that a certain “potential virus” launched at the same time as Flashplayerplugin , about 5 minutes after starting the computer:

Far be it from us to accuse Flash Player of trying to hack us, but it seems rather that a malicious program has hidden in the plugin, if it is already the real plugin Flash Player.

In this regard, I wanted to mention the site which allows you to enter your e-mail address to determine if a site on which you registered with your e-mail address has been hacked in the past. Imagine for example that during the hacking of Adobe in 2013, you were registered on their site. Hackers stole and shared the database containing encrypted passwords, including yours! Although the password is encrypted, it is possible that it has been decrypted, leading to bad accounts at the moment, and especially if you always use the same password.

5. Observe the processes

This is a straightforward way, albeit quite complicated for a novice, to observe the programs launched on the computer at a given moment. Here, we already spotted the name of the malicious program, but we could very well have done it via a task manager. I say “A” task manager because there are several, and even if the one delivered by default with Windows is sufficient in most cases, there are advanced task managers like Process Explorer . The term “advanced” refers to the additional features provided by this tool. These include direct VirusTotal analysis, signature verification, more pleasing graphics, and (very) detailed information about each process.

Here is what can be observed by displaying the properties of the program supposed to be Flash Player Plugin :

And here’s what the properties of a real Flash program look like:

Note that the “Verified” indication indicates that the program signature has been verified . Signing executable programs is extremely useful. In short, when the program is published, the publisher digitally signs it. This signature can then be verified with an authority. And the slightest change in the program directly invalidates the signature , indicating at the same time that the program is not authentic.