Results 1 to 9 of 9

Thread: Hacking Scenario

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Hacking Scenario

    I am writing a short tip and I wanted to get some more diverse opinion and feedback. Here is the scenario I am basing it on:

    SCENARIO: "I'm an IT administrator with a little over 500 end users, running Windows 2000 and XP. One of our users is experiencing a problem with her Internet connection suddenly dropping for no apparent reason.

    When she restarts her computer, everything works fine for awhile, but then the connection drops again. The funny thing is, she's noticed that her AOL Instant Messenger service still works even when she can't access her e-mail. We've already run Netstat and noticed that more unknown open connections are being used to certain ports. This particular user has a laptop and works from home frequently, so we're not sure all updates have been installed. Has her computer been hacked?"
    Based on that scenario, I want to address the following:

    1. Diagnosis -- Given the info in the scenario, has this person been hacked or not?

    2. Initial response period -- What can the IT administrator do in the first 24 hours to contain the extent of the damage?

    3. The road to recovery -- After the first critical 24-hour window passes, what actions can the IT administrator take to start getting back on track?

    4. Preventative steps -- What steps can the IT administrator take to prevent being hacked in the future?
    I know the scenario is a little vague. That is part of the point. Anyone interested in providing your feedback of diagnosis and remediation based on this scenario?

  2. #2
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    1. Without knowing what ports they are, its impossible to make a just diagnosis. I would venture to guess it could be a spyware or such.

    2. I would initially remove this machine from the network and figure out exactly what is opening these connections.

    3. I would sniff the network for other machines that might also have connections on this port to see if any other machines were affected.

    4. This would require a trackback to find out where it came from in the first place. If it came via email a training of users not to open attachments from people they don't know and such would be advised.



    Am I right in assuming this is fictitional?

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Tony,

    Do you mean that AIM works over the internet, or the LAN?

    If you have really lost your internet connection then it is not a hack or even adware/spyware as that is what they need. And they don't normally advertise themselves that blatantly.

    Could be an adware/spyware conflict though?................or a virus?

    As a BOFH I would immediately impound the thing, reformat and re-install. After searching it for anything compromising of course As you only mention one employee it seems to be a local problem not a company wide one?

    My network should be well protected so nothing should spread without being detected/destroyed?

    Let's face it, most IT people don't have the time to mess around, reformat and re-install is the solution in 99% of such cases.

    Yes, I am cynical

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    sounds like malware to me and not a hack. Perhaps a corrupt host file. Could even be a DNS issue, or she set her IE to use a proxie but didnt specify one. if you have dns issues aim can still work in my experience. so I would check dns and internet settings. And scan for adware be of the open ports.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    I've actually had to deal with this problem before and it is really interesting.

    You can run a tracert say like :

    tracrt www.yahoo.com

    this not only makes sure that the dns is working but you can also test if your connection is screwy. After doing so I traced right to it and the dns resolved.

    So why doesn't the internet work? HOSTS file? maybe. Virus infection? Absolutely.

    The real answer to the question is a straight reformat.

    What you will notice that is even more bazaar is the fact that when booted in safe mode the internet works fine. Naturally, that would leave one to believe that there is some corrupted service or program that loads on startup.

    I wasn't able to locate the problem file but I can assure that there is one.

    Save yourself some time and just reformat the thing.

    scatman
    If the scatman can do it so can you.

  6. #6
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    I'm an IT administrator with a little over 500 end users, running Windows 2000 and XP. One of our users is experiencing a problem with her Internet connection suddenly dropping for no apparent reason.
    I would use the diagnosics tools provided by Microsoft. Which tools would I use?

    Dr Watson.

    System Information.

    Device Manager. (Even though sounds more software based to me)

    Event Viewer

    Computer Management

    Performance Logs and Alerts


    Possibly use system restore to back it up to a previous state before this user had there disconnect issues.

    This particular user has a laptop and works from home frequently, so we're not sure all updates have been installed. Has her computer been hacked?"
    You never stated what type of connection she has Since she is a home user. If she has a dial up connection it could be a number of issues nothing related to hacking either. Examples are broken telephone cord (insides could be damaged) she could be using line splitters, surge protectors, Filters, the modem could possibly need a inizationaltion string for frequent disconnects. If shes on a broadband connection I would surely make sure all hardware and software is fully updated. NIC drivers, ADSL modem firmware, router firmware etc...

    I would use pathping (xp) ping, tracert, whois, nslookup, see if this lady is able to ping by hostname or IP address or vice versa. Make sure her winsock file is not corrupted? Updated TCP drivers, check for coruppted networking componets, Definitelty recommend downloading adaware or spybot to search for spyware issues.(just in case)
    Diagnosis -- Given the info in the scenario, has this person been hacked or not?
    In my opionion this person wasnt hacked. Theres not enough information in your 'sceniro' to determine if this person was hacked or not.

  7. #7
    A hack would probably not effect the internet connection, nither would spyware, but just to be sure if you want then try running Dr. Watson, it will show you everything runnting on the network/computer at that time. other then that, I'm just as clueless as you.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony:

    I know where this is coming from.....

    Rather than breach a confidence, (non-critical), I will enlarge on the intent of the OP's post without going into detail so that this post doesn't look like I'm coming out of "left field". The OP is trying to develop a "generic" methodology for response to a given situation - in this case it is a suspicious failure of internet conectivity with the exception of one application. I hope you don't mind that Tony... If you do bawl me out, come down to the pub and the beers are on me... OK?

    Here's the problem:-

    To begin an appropriate course of action one would be required to reach an accurate diagnostic conclusion. The problem with that is that so many things are sufficiently complex and/or are sufficiently similar in their manifestation that the diagnostic methodology is painfully complex and prone to mis-diagnosis. In many cases a mis-diagnosis may not be critical but there are many cases where, without continuing the diagnostic process, vital information may be missed that would lead to a critical mis-diagnosis and therefore a critical failure in the mitigation process, (in numerous cases the mitigation for the "perceived" issue may well also mitigate the actual issue but there are many that won't).

    I think you need to start from a different perspective. One of a "skill and experience" basis. Then you can develop the matrix of diagnostic steps. At each step where a different skill or level of experience is required you would ask a question such as "Are you comfortable setting up an Ethereal sniffer, capturing the data and interpreting it?". If the answer is "Yes" continue with the matrix. if the answer is "No" recommend that outside assistance is sought _or_ suggest another course of diagnostic action with the appropriate question should it require a different skill set.

    Once a diagnosis "appears" to have been made there are several instances where further confirmation would be required/desired for safety's sake. The matrix needs to continue down those lines _before_ the mitigation is suggested. Any failure in the subsequent confirmation attempt needs to be reversed back to the appropriate place in the diagnostic matrix for a "restart".

    Can you see how complex a matrix would be and can you see how a lack of knowledge or experience could lead someone quite quickly to a mis-diagnosis if the skill level or experience is absent? This would lead, obviously, to to an improper mitigation technique.

    The proof of what I say?

    Look at the responses to your post.... Disorganized, inaccurate, without direction and almost certainly plain wrong... Sorry folks, but the OP's intent is an organized, trustable, followable and accurate solution to a problem, your responses prove the necessity for his work....

    PS. There isn't enough information in the scenario, (which was mentioned before) and question 4 answers question 1.... just for future reference.... <LOL>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Originally posted here by Khayman
    A hack would probably not effect the internet connection, nither would spyware, but just to be sure if you want then try running Dr. Watson, it will show you everything runnting on the network/computer at that time. other then that, I'm just as clueless as you.
    are you joking? spyware would certainly effect the internet connection because it blasts out connections and makes your computer drag ass.


    and computernerd. If AIM can stay logged in then it means they are holding the connection fine. which means its not hardware.

    Scatman:

    formatting is not the best solution for this. yea it will fix it but there are TONS of other things you can do to fix the problem. Formatting should not be used as a "quick fix"
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •