Results 1 to 5 of 5

Thread: Help! I Think I've Been Hacked!!

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Help! I Think I've Been Hacked!!

    This is a place for AntiOnline users to post original tutorials that they've written about a variety of subjects.

    Each tutorial should be posted as a new thread, and never as just a reply. Also, new threads should ONLY be started when posting a tutorial.

    see thread
    This tutorial IS an original tutorial written by me. This is not plagiarized or a cut & paste of some other person's work. However due to copyright restrictions (see this thread ) and contractual obligations because it was written for my About.com site I can only post a portion of it and must link back to the About.com site.

    Your computer starts to run a little weird. You notice the drive light blinking when you aren’t doing anything and the system seems a little slow. In the middle of writing an important document for work your system suddenly reboots for no reason.
    Advertisement


    At first you may shrug it off, then you notice some weird program in your Startup group. There is a good chance your system has been hacked.
    Had you been exposed to a massive dose of gamma radiation you might turn green and ripped with muscles bursting out of your clothes and set off destroying everything in your path until you find the perpetrators and make them pay. Since your average person can’t turn into The Incredible Hulk, we have to settle for getting angry and saying “help! I think I’ve been hacked!!”

    Various emotions may overtake you but it is important to act quickly and decisively to stop any ongoing intrusions, determine the extent of the damage caused and secure and protect your system for the future.

    Unfortunately, if you did not prepare in advance for such an incident you probably are finding out much later than you should have and you have next to nothing to go on in trying to determine what occurred- how did the intruder get in? When did they intruder get in? What changes have been made to the system?

    When you first realize you may have been hacked you need to decide your course of action. Your initial reaction may be to disconnect your computer from the Internet or shut it down entirely to break the connection with the hacker. Depending on the situation this may be the way to go. However, you may find many more clues and gather more evidence by performing certain actions while the system is still live.

    If the system in question contains sensitive or classified material that you feel might be in jeopardy or if you believe your computer might be infected with a virus or worm that is actively propagating (sending itself out) from your computer you probably need to go ahead and disconnect from the Internet at the very least.

    There are six essential phases that make up incident response:

    Prepare to detect and respond to incidents
    Detect incident
    Gather clues and evidence
    Clean system and patch vulnerabilities
    Recover lost data or files
    Take lessons from incident and apply them to secure for future

    As I mentioned earlier, if you didn’t already do the first one (prepare to detect and respond to incidents) then you also probably didn’t detect the hacker until way after the initial intrusion.
    Advertisement


    So, by the time you figure out the hard way that you have been hacked you are on phase 3 already. If you didn’t prepare odds are also pretty good that you don’t perform regular backups of your system data so step 5 probably won’t work either.
    See how quickly this goes? Just by not properly preparing to detect and respond to incidents you have already cut the list down from 6 phases to 3. I think when you get to phase 6 (take lesson from incident and apply them to secure for future) though that one of the primary lessons would be that you should have been better prepared so hopefully that will change for your next incident.

    We’re not on phase 6 though- we’re still on phase 3: gather clues and evidence. One of the first things you should do is to try running netstat. Netstat is a utility that will show you all open ports on your computer and your current connections. If your hacker is sloppy you may even be able to find his source IP address using netstat.

    To use netstat you need to open a command prompt window and type “netstat” followed by the parameters you want to use. The available parameters are:

    -a displays all connections and listening ports
    -e displays Ethernet statistics
    -n displays addresses and port numbers in numerical form
    -o displays the owning process ID associated with each connection
    -p proto shows connections for the protocol specified (TCP, UDP, etc.)
    -r displays the routing table
    -s displays statistics broken down by protocol
    interval redisplays selected statistics at the assigned interval
    Using netstat can yield a ton of valuable information. You may be able to find open ports, connections to IP addresses or connections opened by processes that you are not aware of. For your evidence gathering purposes you will want to export the results to a text file that you can save and refer back to later. Typing “netstat –an >c:\log.txt” will run netstat using both the –a and the –n parameters and will save the results to a file called “log.txt” on your C drive. You can change the drive and file name to anything you choose.

    Another action you can perform is to validate your users and their privileges. Check out the list of users on the machine to make sure there haven’t been any new users created that you aren’t familiar with. Additionally, you should verify that the existing users have the appropriate permissions assigned. The hacker may have taken one or many accounts and granted it administrative permissions.
    To read the full tutorial click here: Help! I Think I've Been Hacked!!

  2. #2
    Another good writing by tony.
    I would like to add one thing to this.
    If you suspect you have been hacked it could be good practise to make an image (ghost) of your disk before you reinstall the OS.
    This way you can study what happened, perhaps on another (non-connected) computer or perhaps by mounting the image using linux.
    To secure yourself better you will have to understand what happened when you did get hacked otherwise you would fall for the same trick.

    Cheers
    noODle

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499

    No Direspect.

    Noodle,

    No disrespect ment here but if you backup your system when you re-ghost it it will be subject to the same vulnerabilities as before.

    I would suggest that you do the same and have a thorough system flush with several anti virus programs while off the network.

    Also run an exploit scan and port scan on your own machine to look for known weakness.

    Note : Usually to run an off line and local program on your machine use ip : "127.0.0.1"

  4. #4
    Mark I did not mean you should use the image as a backup but as a means to investigate the matter.
    I believe that most images can be mounted using one of the nix like systems.
    This way you can examine what happened without staying offline and without being infected.
    I am very well aware that if you restore from a corrupted image you reinfect yourself.
    Whenever you reinstall your OS you completly wipe out all evidence.
    Also if your machine is compromised and you plan to report it with the authorities they will be very happy to see you made an image of the compromised system.
    I don't exactly know on top of my head what the legal issues would be (if it would be evidence) but it sure would help the appropriate computer forensics specialists in tracking down what happened.
    I am sorry if I did not come accross clear in that first post.

    Cheers
    noODle

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Posts
    105
    i believe if you are hacked, disconnect that computer from any lan or wan connections, isolating the vuln., troj, hack.... then search on another computer for any known threats with the symptons as that computer, patch it and protect it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •