How to determine whether your users are actually attacked by hackers

If you implement end-user support in an organization, you will probably be familiar with saying "I think I am hacked!" when your computer cannot be started or a problem occurs !". Some of these situations are true and need immediate response, but others are just minor issues with excessive user response. To help you identify and find faults when users are truly hacked, please refer to the following chapter. We will ask three Windows security experts to introduce their knowledge about the problem analysis and possible actions of end users. Then, you can go to our forum to read the solutions to problems encountered by others, you can also share your thoughts.

User Problems
 

"I am an IT administrator of more than 500 end users running Windows 2000 and Windows XP operating systems. One of our user experiences the following problems: her connection to the Internet is suddenly broken. When she restarts her computer, every job seems to be running normally. It is similar to normal, but after a moment, her Internet connection is disconnected again. Interestingly, she noticed that her AOL Instant chat service still works normally when she cannot access E-mail. We have run the netstat command and noticed that many unknown open connections exist on her machine, using some definite ports. This special user uses a laptop and often works at home, so we cannot confirm that all updates have been installed. Is her computer hacked ?"

 
Experts' opinions

 
You can take four steps to solve such problems.

 
Phase 1: Analysis

Determine whether your computer is hacked based on the information provided by the user.

 
Stage 2: Immediate Response

If a workstation is hacked, what kind of work should you do within 24 hours to prevent further damage?
 

Stage 3: Recovery

What do you do after the crucial 24 hours to recover the ipvs operating system and restore it to the original state.
 

Stage 4: Prevention

How can we avoid being hacked in the future?

 
Next, we will introduce these four steps in detail, that is, to combine the experts' respective handling methods.

 
About experts
 

Lawrence Abrams: the CTO of the ISP in New York City, New York, United States. It is also the founding and owner of BleepingComputer.com, which is committed to teaching people the basic concept of malware removal.

 
Kevin Beaver: CISSP, Principle Logic, LLC, Hacking For Dummies (_ 8_xs_ap_i1_xgl14/104-1282594-2443933? V = glance & s = books & n = 507846 "> http://www.amazon.com/exec/obidos/tg/detail/-/076455784X/qid=1078194566/ref=sr_8_xs_ap_i1_xgl14/104-1282594-2443933? V = glance & s = books & n = 507846), co-author of Hacking Wireless Networks For Dummies (http://www.dummies.com/WileyCDA/), and a Windows security threat expert.
 

Tony Bradley: CISSP-ISSAP, MCSE2k, MCSA, A +, About.com Guide for Internet/Network Security edit, and is the creator of Essential Computer Security.

You are hacked: Stage 1-Analysis

 

Lawrence Abrams: in the discovery and analysis phase, the first thing to do is to freeze the laptop so that the infection will not spread and data and evidence will not be damaged or lost. In the case of an incident, a notebook is necessary evidence in court. You must take the correct steps before analyzing any data on its hard disk.

 

Immediately unplug the network cable and cut off the computer power (do not use the built-in shutdown system, but directly cut off ). Then, use byte-to-byte copy tools such as EnCase (http://www.guidancesoftware.com/), FTK Imager (http://www.accessdata.com/ftkuser/imager.htm), WinHex (http://www.x-ways.net/winhex/index-m.html), or can be in Helix Linux CD (http://www.e-fense.com/helix/index2.html) the dd gui on the graphic interface is found, and the data on the hard disk is mirrored from the infected laptop to the Backup Laptop. Now you have a copy of the laptop that you acknowledge in court and lock the original laptop until you have to issue evidence in court before starting it again.

 

Once the data is transferred to a backup laptop, the next step is to identify the infection. In the problem scenario described, the first step I do is to download Fport from Foundstone (http://www.foundstone.com/index.htm? Subnav = resources/navigation.htm & subcontent =/resources/proddesc/fport.htm), and then from http://www.spywareinfo.com /~ Merijn/download HijackThis and run it on your computer to obtain the approximate information. Fport will show which program opens which IP port, and HijackThis will tell you which programs are running with Windows startup. Then using Netstat (http://www.analogx.com/contents/download/network/nsl.htm), you can see that this computer is trying to connect to other machines on the network and infect them.

 

Kevin Beaver: this user's computer may be hacked or infected with some type of malware.

 

Tony Bradley: Some suspicious activities are described in the problem described, but only part of the information is provided in the scenario, it is difficult to determine whether the activity is a malicious attack or a small problem.

 

You are hacked: Stage 2-Immediate Response

 

Lawrence Abrams: using the information found during the analysis phase, you should consolidate the rules of the Enterprise Firewall, prohibit the ports that may be accessed by infected machines, and divide the network into different parts, or it is isolated from the external network.

 

Because AIM (AOL Instant chat tool) can still run, the virus is likely to insert itself into the chat information and want to spread it with it, when the person receiving the message clicks the connection, they may be poisoned. To reduce this risk, you need to immediately block port 5190 (the port used by AIM) in the network ). It is also reasonable to immediately send an email to everyone so that they can disable the instant chat software. The relatively isolated part of the network has no risk of being infected.

 

If they are infected by SDBot/rbot(_gci2%99,00.html "> http://searchwindowssecurity.techtarget.com/sDefinition/0,290660,sid45_gci211699,00.html) or other malicious backdoor software, you should immediately block outbound ports 6666 and 6667, removing possible commands from external IRC servers.

 

Using firewall logs, you should be able to determine whether these machines meet your filtering requirements and be prepared to clear the huge threats. A rough use of programs like Fport scan is necessary for every computer, and it is very useful for discovering infections, but it seems a boring task, but it must be executed.

 

Kevin Beaver: At this stage, you should work according to your company's emergency response plan, and follow every step in detail to ultimately eliminate malicious attacks, and recover from a disaster. The incident response team should then determine whether to seek help from external personnel or perform this operation in the future.

 

Right-the worst case is that your company does not have an emergency plan. In this case, the first thing you should do is not panic. Every machine is shut down in a busy manner. If your workstation contains critical information (such as personal, confidential, or other sensitive information), you must at least disconnect the network to minimize the loss.

 

If an external frequency consultant or legal officer is involved in a formal investigation, all you do is simply unplug the power cord of the Computer (do not use the built-in shutdown of the system, but directly cut off the power supply ), this is the best operation process. In this case, no memory, temporary files, or swap files are tampered with (although they may be corrupted during this brute force shutdown) and then the entire disk is mirrored using tools for investigation.

 

Tony Bradley: The first thing I do is to check whether the anti-virus software is running. I also need to run Microsoft Baseline Security Analyzer (MBSA,_gci1008465,00.html "> http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1008465,00.html) or similar tools to check if all the required patches are installed.

 

When the connection is disconnected, use the ping command to ping the IP address of the Internet gateway and the IP address of the primary DNS server, which can help us determine whether the machine can still communicate with them. It is very likely that there is a problem with the connection between the DNS server and the DNS server.

You are hacked: Stage 3-recovery

 

Lawrence Abrams: Use patch management tools and manual intervention to confirm that all computers have installed antivirus software, spyware cleanup software, and the latest Windows Update. Each computer must not only be armed with anti-virus software, but also install at least two anti-spyware programs.

 

Kevin Beaver: if no formal investigation is conducted, the main concern at this time is to ensure that the machine is clean when it is re-connected to the network. These may include using a well-known recovery tool for recovery, or starting the computer without the network, and then running different tools, such as anti-spyware, anti-virus software, Rootkit detection/removal tools, TCP/UDP port Ing tools, personal firewall software with application protection, etc., to confirm that it is clean.

 

At the same time, change any password that may be stored in the Local System (Windows, AIM, and so on ). Once the machine is cleaned up, you can install a Network Analysis Tool (Sniffer-pilot) on it before you put it back on the network ).
 

The next step is to start packet capture, or at least monitor protocols and connections to confirm that no suspicious or malicious things continue to appear on the network.

 

Tony Brad