Your computer starts to run a little weird. You notice the drive light blinking when you aren’t doing anything and the system seems a little slow. In the middle of writing an important document for work your system suddenly reboots for no reason.
At first you may shrug it off, then you notice some weird program in your Startup group. There is a good chance your system has been hacked.
Had you been exposed to a massive dose of gamma radiation you might turn green and ripped with muscles bursting out of your clothes and set off destroying everything in your path until you find the perpetrators and make them pay. Since your average person can’t turn into The Incredible Hulk, we have to settle for getting angry and saying “help! I think I’ve been hacked!!”
Various emotions may overtake you but it is important to act quickly and decisively to stop any ongoing intrusions, determine the extent of the damage caused and secure and protect your system for the future.
Unfortunately, if you did not prepare in advance for such an incident you probably are finding out much later than you should have and you have next to nothing to go on in trying to determine what occurred- how did the intruder get in? When did they intruder get in? What changes have been made to the system?
When you first realize you may have been hacked you need to decide your course of action. Your initial reaction may be to disconnect your computer from the Internet or shut it down entirely to break the connection with the hacker. Depending on the situation this may be the way to go. However, you may find many more clues and gather more evidence by performing certain actions while the system is still live.
If the system in question contains sensitive or classified material that you feel might be in jeopardy or if you believe your computer might be infected with a virus or worm that is actively propagating (sending itself out) from your computer you probably need to go ahead and disconnect from the Internet at the very least.
There are six essential phases that make up incident response:
Prepare to detect and respond to incidents
Gather clues and evidence
Clean system and patch vulnerabilities
Recover lost data or files
Take lessons from incident and apply them to secure for future
As I mentioned earlier, if you didn’t already do the first one (prepare to detect and respond to incidents) then you also probably didn’t detect the hacker until way after the initial intrusion.
So, by the time you figure out the hard way that you have been hacked you are on phase 3 already. If you didn’t prepare odds are also pretty good that you don’t perform regular backups of your system data so step 5 probably won’t work either.
See how quickly this goes? Just by not properly preparing to detect and respond to incidents you have already cut the list down from 6 phases to 3. I think when you get to phase 6 (take lesson from incident and apply them to secure for future) though that one of the primary lessons would be that you should have been better prepared so hopefully that will change for your next incident.
We’re not on phase 6 though- we’re still on phase 3: gather clues and evidence. One of the first things you should do is to try running netstat. Netstat is a utility that will show you all open ports on your computer and your current connections. If your hacker is sloppy you may even be able to find his source IP address using netstat.
To use netstat you need to open a command prompt window and type “netstat” followed by the parameters you want to use. The available parameters are:
-a displays all connections and listening ports
-e displays Ethernet statistics
-n displays addresses and port numbers in numerical form
-o displays the owning process ID associated with each connection
-p proto shows connections for the protocol specified (TCP, UDP, etc.)
-r displays the routing table
-s displays statistics broken down by protocol
interval redisplays selected statistics at the assigned interval
Using netstat can yield a ton of valuable information. You may be able to find open ports, connections to IP addresses or connections opened by processes that you are not aware of. For your evidence gathering purposes you will want to export the results to a text file that you can save and refer back to later. Typing “netstat –an >c:\log.txt” will run netstat using both the –a and the –n parameters and will save the results to a file called “log.txt” on your C drive. You can change the drive and file name to anything you choose.
Another action you can perform is to validate your users and their privileges. Check out the list of users on the machine to make sure there haven’t been any new users created that you aren’t familiar with. Additionally, you should verify that the existing users have the appropriate permissions assigned. The hacker may have taken one or many accounts and granted it administrative permissions.