Help! I Think I've Been Hacked
Incident Response To Recover Your System QuicklyYour computer starts to run a little weird. You notice the drive light blinking when you aren’t doing anything and the system seems a little slow. In the middle of writing an important document for work your system suddenly reboots for no reason. At first you may shrug it off, then you notice some weird program in your Startup group. There is a good chance your system has been hacked.
Had you been exposed to a massive dose of gamma radiation you might turn green and ripped with muscles bursting out of your clothes and set off destroying everything in your path until you find the perpetrators and make them pay. Since your average person can’t turn into The Incredible Hulk, we have to settle for getting angry and saying “help! I think I’ve been hacked!!”
Various emotions may overtake you but it is important to act quickly and decisively to stop any ongoing intrusions, determine the extent of the damage caused and secure and protect your system for the future.
Unfortunately, if you did not prepare in advance for such an incident you probably are finding out much later than you should have and you have next to nothing to go on in trying to determine what occurred- how did the intruder get in? When did they intruder get in? What changes have been made to the system?
When you first realize you may have been hacked you need to decide your course of action. Your initial reaction may be to disconnect your computer from the Internet or shut it down entirely to break the connection with the hacker. Depending on the situation this may be the way to go. However, you may find many more clues and gather more evidence by performing certain actions while the system is still live.
If the system in question contains sensitive or classified material that you feel might be in jeopardy or if you believe your computer might be infected with a virus or worm that is actively propagating (sending itself out) from your computer you probably need to go ahead and disconnect from the Internet at the very least.
There are six essential phases that make up incident response:
As I mentioned earlier, if you didn’t already do the first one (prepare to detect and respond to incidents) then you also probably didn’t detect the hacker until way after the initial intrusion. So, by the time you figure out the hard way that you have been hacked you are on phase 3 already. If you didn’t prepare odds are also pretty good that you don’t perform regular backups of your system data so step 5 probably won’t work either.
See how quickly this goes? Just by not properly preparing to detect and respond to incidents you have already cut the list down from 6 phases to 3. I think when you get to phase 6 (take lesson from incident and apply them to secure for future) though that one of the primary lessons would be that you should have been better prepared so hopefully that will change for your next incident.
We’re not on phase 6 though- we’re still on phase 3: gather clues and evidence. One of the first things you should do is to try running netstat. Netstat is a utility that will show you all open ports on your computer and your current connections. If your hacker is sloppy you may even be able to find his source IP address using netstat.
To use netstat you need to open a command prompt window and type “netstat” followed by the parameters you want to use. The available parameters are:
Using netstat can yield a ton of valuable information. You may be able to find open ports, connections to IP addresses or connections opened by processes that you are not aware of. For your evidence gathering purposes you will want to export the results to a text file that you can save and refer back to later. Typing “netstat –an >c:\log.txt” will run netstat using both the –a and the –n parameters and will save the results to a file called “log.txt” on your C drive. You can change the drive and file name to anything you choose.
Another action you can perform is to validate your users and their privileges. Check out the list of users on the machine to make sure there haven’t been any new users created that you aren’t familiar with. Additionally, you should verify that the existing users have the appropriate permissions assigned. The hacker may have taken one or many accounts and granted it administrative permissions.
The Event Viewer most likely won’t offer much in the way of valuable evidence because logging the sort of information you really want would have required preparation (See Plan Ahead to Catch an Intruder). But, it can’t hurt to look. By default there are three logs maintained on a Windows system- Application, Security and System. If you have certain services enabled like DNS or IIS or use some third-party applications you may have Event Viewer logs for those as well. You can look through the logs to see if any entries were made at odd times when you know you weren’t using your computer or if there were errors cause by programs you know you haven’t used.
OK. So you’ve scanned through the computer looking for the clues and evidence you need to try and figure out who hacked your system, when and how. Now its time to move on to phase 4 (clean system and patch vulnerabilities) and get your system back into non-hacked operational status.
There are steps you can take and tools you can use to be relatively sure the system is cleaned and secure. However, the tools rely on knowledge of existing hacker tools and techniques. There is always the possibility that your hacker did something different that won’t be picked up and you may miss a backdoor, Trojan or other trick that may allow him to infiltrate your system again. If you have backups of your critical data your best bet is to completely format your hard drive and reinstall your entire system from scratch and then patch and secure it.If you don’t have backups of your data or that sounds too extreme for your taste you need to do what you can to make sure the system is clean. If you have not previously unplugged the Internet connection now would be the time to do that, but, if the hacked computer is your only computer, you may need to download some of the tools and updates you will need before disconnecting. If your system is too damaged or you feel better disconnecting it from the Internet you will need to find a second computer to download the software you will need.
To remove any viruses or worms you should install antivirus software and scan your system. Before starting you should get the latest virus definitions from your antivirus software vendor. New malicious code is discovered almost daily and most antivirus software vendors release updates at least weekly to include the new threats.
Antivirus software can generally detect most Trojan programs on their way into your system, but may not be able to detect or remove one that is actively running on your system. You can use a tool like The Cleanerto detect and remove Trojan programs from your computer. Make sure you use a current version so that the database is as up to date as possible.
I would also perform a scan using a spyware detecting program such as Ad Aware 6.0 or Spybot Search & Destroy (See Free Spyware Removal and Blocking Software). Many freeware and programs downloaded from the Internet may contain programs like these which monitor your actions and secretly report them back to some outside server via the Internet.
If you discovered any errant user accounts or permissions you will want to remove those. Delete any users that you are sure should not exist on your system and set the permissions and group membership for each of the users to what you believe it should be.
If you see other programs or processes from your evidence gathering efforts with the Task Manager that have not been eradicated still you can manually remove them. I would recommend you start by renaming the program file or simply moving it to another location in case it really is needed by your system and just looks weird to you. For processes you can disable the ability for the process to start. These interim steps give you an opportunity to try running your system to make sure these files aren’t necessary. If it turns out they aren’t necessary then you can go permanently remove them later.
After all of this is completed and you have rebooted the computer you should run netstat again to determine what ports are open on your computer and close the unnecessary ones. To get an idea of what ports are commonly used for what you can refer to this list: TCP / UDP Ports . Or, to see specifically what ports are used by known Trojans you can look here: Trojan List Sorted on Port
If you do have a backup of your system data, but did not want to completely rebuild your system from scratch you can still restore your system data at this time. However, depending on how frequently you backup your data and how long the hacker has been in your system the data on your backup may be corrupted as well. Make sure that any files you restore are also scanned for viruses and Trojans.
Now you are ready to move on to phase 6- take lessons from incident and apply them to secure for future. The primary lesson would be to secure your system better in the first place. The secondary lesson is to set up some monitoring that can alert you when intrusion occur or at least give you some log information to refer back to once you detect an intrusion.
If you were not already running antivirus software, you should get one installed immediately. You can look at the Free Antivirus & Virus Removal Software on this site or purchase a commercial product such as McAfee Virus Scan or Norton Antivirus.As important as installing the antivirus software in the first place, it is imperative that you keep it updated. New malicious code threats are discovered just about every day. If you don’t update your antivirus software weekly you will be exposed to any new threats that have come out since you last updated.
You also need to keep your system patched. For Microsoft Windows machines you can enable the auto-update feature which will notify you when there are new critical patches available for your system. No matter what operating system or application you use, you should frequent the vendor’s web site and join any alert mailing lists available from the vendor to make sure you are aware when new vulnerabilities are discovered or new patches released. You can also subscribe to general vulnerability mailing lists such as Bugtraq
One more level of defense I would recommend is a firewall. Hardware firewalls such as the ones found in DSL / cable routers are good for filtering incoming traffic, but for security purposes a software firewall such as ZoneAlarm installed on your computer will work more effectively. Using personal firewall software (See Top Picks) will not only block unauthorized incoming traffic, but will also stop unauthorized outbound traffic. This is helpful so that if you do open a malicious email attachment or something not detected by your antivirus software and a worm or Trojan tries to establish a connection it will be blocked and hopefully you will be notified. Many offer additional security features you may find useful as well.
That should about cover you in terms of securing yourself against future hacker intrusions. But, in case the unthinkable happens again there are steps you should take to prepare to handle it better. First, turn on auditing where you can. By monitoring and logging access to files or failed logon attempts you can maintain a record which may help you determine when you were hacked or what files may have been tampered with. See Plan Ahead to Catch an Intruder for more information on security auditing and logs.
You should also backup your important or critical data regularly. This makes good sense for more reasons than I can name. You never know when your hard drive could just die or you may even accidentally wipe out a directory. You should set up a schedule to backup regularly that works for you- daily, weekly or whatever. You should also maintain more than one backup if possible. In other words, if you are backing up weekly keep two or three weeks worth of backups before you copy over or dispose of the oldest one. That way if you happen to lose one or it is corrupt for some reason you still have another backup to fall back on.
One final tool you may want to employ to catch future intrusions or intrusion attempts is an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). There are different ways of performing intrusion detection or prevention and I don’t have the space here to go into detail. The bottom line is that these tools are designed to detect when suspicious behavior is occurring on your network and respond in some way- alerting you or blocking the alleged attack or some other response.
If you want to ensure file integrity you can install a program like Tripwire. Tripwire monitors files and compares them against a known good version to ensure the integrity of the file. It can provide you with logs detailing what changes were made, when they were made and by who. Using a program like Tripwire will quickly alert you if a malicious intruder tries to modify any of your system files or data and will allow you to quickly recover from any damage that is done.That’s all there is to it. It is unfortunate that you were hacked, but following the standard phases of incident response you were able to recover and get your system fully operational in a reasonable timeframe. So, quit wishing for an overdose of gamma radiation to hit you so you can morph into a raging green creature and exact your revenge on the perpetrators. Instead, focus on getting the right tools installed and configured to protect your system and prepare to detect and recover from your next intrusion even quicker.