Most computer vulnerabilities can be exploited in different ways. Hackers can use a single exploit in particular, several exploits at the same time, an inadequate configuration of one of the system components or even a backdoor, introduced in advance.
In view of the above, detecting hacker attacks is not an easy task, especially for inexperienced users. This article provides some pointers to help you know if your machine is under attack, or if your system’s security has been compromised. However, if your system has been hacked, it is likely that your machine will have at least one of the following behaviors.

Windows Machines:

Abnormally high outgoing network traffic. If you are using dial-up or ADSL, and you notice an unusually high volume of outgoing traffic (especially when your computer is idle or does not load the necessary data), then it is possible that your computer is compromised. Your computer can either be used to send spam or be infected by a reproducing network worm and send its own copies. For cable connections, this observation is less relevant. Indeed, it is quite common to have the same amount of outgoing traffic as incoming traffic, even if you only visit sites or download files from the Internet.

Higher disk activity or suspicious files in the root directory of any drive. After forcing the system, many hackers scan all interesting documents and files, which contain usernames and passwords to access e-payment accounts, such as PayPal. In the same way, some worms search on the disk for files containing e-mail addresses in order to use them to propagate. If you notice disk over-capacity, even when the system is idle, as well as files with suspicious names in regular folders, this may be an indication of system hacking or malware infection.

A large number of packets from a single address, which is stopped by a personal firewall. After locating a target (for example, the IP of a company or the user group of a home network), hackers often start tools that try to use different exploits to enter the system. If you are using a personal firewall (an essential element against hacker attacks) and you notice an unusually high number of stopped packets coming from the same address, then this is a sign that your computer is being attacked.

The good news is that if your personal firewall is reporting these attacks, then you are probably protected. However, depending on the number of services you expose to the Internet, the personal firewall might fail if you attack specific FTP services, which works under your system and has been made accessible to all. In this case, the solution is to temporarily block the IP address in question, until the connection attempts to cease. Many personal firewalls and IDSs have built-in functionality that allows you to apply this solution.


Your antivirus warns you suddenly that backdoors or Trojans have been detected, even if you have not done anything unusual. Although hacker attacks can be complex and innovative, many rely on backdoors or Trojans already known to gain access to a compromised system. If your antivirus detects and reports such malware, then this may be an indication that your system is accessible from the outside.

Your antivirus warns you suddenly that backdoors or Trojans have been detected, even if you have not done anything unusual. Although hacker attacks can be complex and innovative, many rely on backdoors or Trojans already known to gain access to a compromised system. If your antivirus detects and reports such malware, then this may be an indication that your system is accessible from the outside.

Unix Machines:

Suspicious files saved in the / temp folder. Many exploits in the Unix system rely on the creation of temporary files in the standard/temp folder. These folders are not always deleted after hacking the system. The same goes for some worms that infect Unix systems: they copy themselves to the / temp folder, which they then use as “home”.

Modified binary systems, such as “login”, “telnet”, “ftp“, “finger” or other complex daemons as ‘sshd‘, ‘ftpd‘ etc . After entering the system, a hacker usually tries to secure access by installing a backdoor in one of the daemons, with direct access to other systems. It can also do this by modifying the standard system utilities, which are used to connect to other systems. Modified binaries are often part of a rootkit and usually remain “invisible” during a direct check. In any case, it is good to update a database with checksums for each utility software and to check them regularly when the computer is disconnected and in “single user” world.

Modified files / etc / password, / etc / shadow, or other modified system files in the / etc folder . Sometimes, hacker attacks add a new user to / etc / password, which will allow the hacker to connect later remotely. Check that the password folder does not contain a suspicious username and check all additions, especially if you are working on a multi-user system.
Suspicious services added in / etc / services. To open a backdoor in a Unix system, it is sometimes enough to add two lines of text. The door opens by editing the / etc / services and /etc/ined.conf files. Check these two files carefully to see if they contain additions that would indicate the presence of an open door linked to an unused or suspect port.