Know them:
A normal hacker is just a script kiddie, running scripts that he got
from e.g.
www.packetstorm.com or IRC.
Signs of a computer getting hacked
- Programs behave slow
- Strange behaviour on the network
- Small .exe files and similar appearing on network shares
- Local administrator password changed
- ... the list is endless
What are hackers in general looking for?
- Fast internet lines (for warez and similar)
- Stable internet lines (for internet relay chat bots "irc bots")
- Malicious attacks (very rare)
The first thing is to NOT shut the computer off. Leave the network
disconnected if you cannot check out the computer at once. Shutting the
computer off might remove any hacker files, since the hacker might
auto-delete files at next start-up. He might only leave a small
backdoorr, where he then re-hacks the computer at a later attempt.
It's VERY important to know HOW you have been hacked. And it's not
always so easy to locate this if you are not an experienced computer
enthusiast. But remember: if you do not know how they hacked you, you
must accept that this is a big risk for both you and your organization.
Never allow a computer to go on-line again without a fresh OS install.
Unless you are 100% sure that the computer was not hacked.
When you are ready to check out the computer, put the network on-line.
1. Run a ip-port scan on the computer from remote. I recommend Nessus
(
www.nessus.org) Check for suspicios ports. Note that he might have
installed a firewall for the local subnet, so this is not 100% safe.
If a user is not logged in, be careful to log on to a computer whilst
it's on the net.
2. Run nestat -an on the computer. (the network cable has to be
on-line while doing this)
Do you find any supsicious ports?
Note that some programs hide from this.
3. Run the program
http://www.webattack.com/get/activeports.shtml
Rename the .exe to something else than aports.exe, since the hacker
might have an auto-detect on known programs process names.
Optional program to run: NetLimiter from
www.netlimiter.com Install the
shareware program and check for traffic.
After this, you can disconnect the network again.
Now it's time to search for files and similar. Look for files changed
recently, large files, small files. Use various utilites to locate files
(Lavasoft Ad-Aware, PestPatrol etc). If the hacker is good, you will
have a problem finding anything by using these programs..
Anyways, change any passwords that have been used on the computer. Also,
if you have the same administrator password (or any other local
accounts) on other computers, you should change ALL those passwords.
in the end, I usually take a ghost image of the computer, and storing it
in 3 months, as evidence if somebody tell me and tell me that they got
an attack from that computer. sometimes, this information might lead to
a restore of the image, and the new information from this "somebody"
might help you locate the actual hack.
Never try removing a hack and then put the computer back on-line. The
harddrive HAS to beinstalled (where the OS install process should FORMAT
the system drive).
I hope this small guide I wrote now may help you. Good luck.
- - Hallstein
