Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter #1
The hair stands up on the back of your neck, and you feel the first bead of sweat roll down the side of your face: You've been hacked. The adrenaline starts to flow and you're ready to jump into action. But what do you do first?

In the first installment of this series, we talked about the steps you should take within the first few minutes of discovering that someone may have compromised your system. Now, we'll focus on actions you should take during the first hour. Last time, we wrapped up the initial steps by disconnecting the network from the Internet. In this article, we'll see what you need to do to patch all vulnerabilities and get back online.

Image the system to preserve a record
If you're hoping to identify the individual who caused the problem or perform more diagnosis to determine the exact source of the attack, you'll want to image the system or systems that were compromised. Imaging a system, using a package such as Symantec Ghost, creates a file you can use to recreate the system as it was when you discovered the attack. You can copy the image to another hard drive to preserve a record of the problem and then use it to help pinpoint the attacker or specific vulnerabilities. Once you've created the image, you can restore the production system to its operational state.

It's best to image to another set of hard drives and use them for your further investigations, because the imaging process copies only data that is marked as being used in the file allocation tables. As a result, recently deleted files that can be recovered will not be copied to the image. Ultimately, few go to the lengths required to recover files that have already been deleted, but some do.

Evaluate systems to detect tampering
Before reconnecting systems to the Internet, you have to determine whether they have been compromised. This is perhaps the most difficult part of being hacked because it requires a critical look at the status of the systems and the logs that may have been generated.

The first step is to review every security account on the machine and all of the connected systems. In a typical network environment, this means both the local machine accounts and the network accounts coming from Novell Directory Services (NDS) or Active Directory. It also means reviewing database accounts and verifying that they have not been tampered with. This includes making sure that none of the disabled accounts that you have in your system has been activated. You're looking for any account that shouldn't be there or can't be explained. If you find one, it should be disabled until you can determine its reason for being on the network.

The next step is to review group memberships to ensure that no new users have been given more group memberships and therefore more privileges than they should have. Pay particular attention to the administrators group, since this group membership essentially allows users to do anything they want to the system. The easiest way to approach this is to go to each group and review its memberships. If a user account has a membership it shouldn't have, you should remove the membership and flag the account for further evaluation.

You'll also need to review the access control lists (ACLs) for the system. This is probably best done with a tool such as SomarSoft, which allows you to capture all the ACLs from the system and output them to an easily readable format. You're looking for entries that appear to give more access than is appropriate.

On the logs side of the evaluation process, you should first review the existing logs for abnormal patterns of usage, excessive errors, or anything that just doesn't look right. You should also turn up logging to its maximum levels so that you can track further attempted attacks. This step may have performance implications and may require that the logs be expanded. This is a normal recourse when you've been hacked. But if the logging level is so high that you'll never be able to review all the logs, you should reduce the level so that the logs are manageable.

If you do find log entries that you aren't comfortable with, the system should be isolated until the source of those entries can be identified or until you can provide detailed observation of the system. Log entries can indicate successful and unsuccessful attempts to use security, but most frequently, they're set to capture only information pertaining to failed attempts. It's quite possible that you'll quit seeing failure events in the log because the hacker has gained access.

An important step is to verify that no Trojan horse programs are loaded and running on the systems. These are typically identified by antivirus programs, but they aren't always detected by every scan engine. If you want to check your systems with an alternate antivirus engine, try Trend Micro's online scanner.

read more at

ZD NET AUSTRALIA
 

·
Lacoka Nostra
Joined
·
1,067 Posts
How can you tell at that point you have been hack? I mean will your wallpaper be changed or do you see files being deleted at the same time your on? Can you tell me what I should look for. Thanks:D
 

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter #3
I think the above article I found was written more for a small net. admin at a small business or similar, so some things might be little tricky to work out in our (regular home user) case. I think you might want to take a look at this

have fun :D
 

·
TSF Team Emeritus
Joined
·
5,580 Posts
hmm

well, when i feel i have been hacked, i simply open both my cd-rom drives, and stick in my windows 98 boot cd, and my windows 98 os cd. then i press cntrl+alt+delete twice.......

then i submit a request to my isp for a new ip address.

reinstalling makes it a new machine, so i dont see a need to do anything else.

~BoB~
 

·
STILL Stuck in a treestand....
Joined
·
929 Posts
There are alot of programs you can use to monitor your network and let you know when someone is attempting to gain access. I believe Black Ice offers free downloads that do the samething.
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top