THE ABC's of Hacking Recovering from a system compromise. Written By: dDawg
What to do if you've been hacked.
If
you find you've been hacked, simply deleting the Trojan horse or
closing the open share is often not enough. Using the initial security
breach as an entry point, an attacker could easily have created other
backdoors into your system or even modified the actual operating system
itself. Because of this there is only one real way to secure a system
which has been compromised and that is to reinstall it from a
known-good source. This document describes the steps involved in
recovering a typical windows system from a security compromise.
Step 1 : Isolate the affected machine. You
should disconnect any compromised machine from both the internet and
any local network as soon as you realize it's been compromised. This
helps limit the potential damage both to your own systems (remote
attackers can no longer gain access) and to other systems on the
internet (your machine cannot be used to attack others). It's important
to physically disconnect the machine from the network. That's right,
unplug the network cable or power off the modem . Cable and DSL modems
in particular often feature 'standby' buttons which claim to isolate
the computer from the network - in several cases this is simply not
true, even with the modem in standby mode the computer is still
connected to the network.
At this point you should consider what
other actions you need to take. Do you for example store bank or credit
card details on your PC? If you do, you should inform the appropriate
organizations that your accounts may be compromised at once. Have you
used your credit card number online recently? Again, if you have you
should inform the credit card company that your number may have been
compromised.
Any password or secure data stored or used on your
PC should be assumed to have been compromised and changed at once. This
includes ISP access passwords, FTP, email and website passwords as well
as any other service you use which requires a secure login.
Step 2 : Find out how serious the problem is. If you only have one computer you can safely skip this section, those with home networks should read on. A
compromised machine on a network can lead to the compromise of all
other machines connected to that network. The risk of this happening
depends on a number of things, including :
The length of time the security breach has gone undetected. Be
honest with yourself and assume the worst case scenario is true when
evaluating this. When did you first suspect something might be wrong?
When did you last scan your network for viruses and Trojan horses? When
did you last verify that your files hadn't been tampered with? The
longer a compromised machine has been on a network the greater the
chances of other machines on the network being affected are.
The type of network you run. If
all machines on your network have unrestricted access to and from the
compromised machine, the chances of a network-wide security breach
increase dramatically. On the other hand, if you restrict access
between machines either by using desktop firewall products or by means
of username/password authentication the risk falls.
The presence (or absence) of anti-virus and desktop firewall software. If
each machine runs properly maintained, independent anti-virus and
desktop firewall software the risk of a network-wide security breach
falls sharply.
Step 3 : Begin the cleanup. Locate the
original software distribution disks for your operating system, any
drivers you need for your system and any license information you'll
need during the installation. You will be performing a clean install on
the affected machines, so you will loose any data stored on them unless
you have backups. If you haven't got recent backups, follow the
procedure below :
Start up the compromised machine without connecting to any network. Copy
any data files you wish to keep to floppy disks or cd-r media, if at
all possible in non-executable form (ie. save word files as rich text
since it can't contain macro viruses). DO NOT COPY PROGRAM FILES! Label this media clearly as potentially infected and store it safely. You
are now ready to begin rebuilding your machine. To be absolutely sure
that your system does not remain compromised, follow the steps below
before installing your operating system.
Restart your PC in DOS -
mode (NT/Win2k users should boot from the cd-rom or setup disks) Use
the FDISK command to delete all partitions on the disk (NT/2k users
should follow the appropriate prompts in the setup program) Power
cycle your PC with the setup disk in the floppy drive or CD-Rom drive
as appropriate (switch off, wait 10 seconds, switch on). This applies
to all versions of windows including NT and win2k (power cycle after
removing the partitions, don't worry about still being in the setup
utility) and ensures that any memory-resident or boot sector virus is
removed. Reload your operating system & required drivers from the original disks. At
this point you'll have a working system with no software installed
other than the operating system & drivers. Assuming you used only
original media, the system will be free of any Trojan horse or virus
but may not be secure.
Step 4 : Secure your system and load additional software. You
now need to obtain and apply the latest security patches for your
operating system. Ideally you should download these from their source
using another machine and apply them from disk. If that is not
possible, connect your rebuilt system to the internet for the minimum
period possible to obtain the patches you need. Apply them at once. You
should be aware that this opens your system to potential compromise
while you are downloading the patches so keep the connection as short
as possible. Windows 98,ME and 2000 users can use the 'Windows Update'
function to automatically update their systems.
Once your system
is updated, you can begin installing additional software. Be sure only
to use software you know has not been tampered with, ideally from
original distribution media. If necessary, download a fresh copy from
the source and use that. Install software in a logical order, beginning
with security-related products (anti-virus, firewall etc.).
Step 5 : Finishing off Once
you've installed and configured all your software you are ready to
begin restoring the data from backups. Before doing so, you may wish to
make an image copy of your system using a utility such as Norton's
ghost. This will allow you to quickly restore the machine to a known
clean state in the event of future compromise. If you do this, store
the image on non-volatile media such as CD-Rom. You may also wish to
take a 'fingerprint' of the files installed on your machine to enable
comparison in future. See 'Attack Mitigation' for details on this.
When
you eventually restore the data, do so gradually especially if you
copied the files from an infected machine. Virus scan each one first
and discard any with unexpected macros.
That's it, your machine
is now rebuilt and ready to reconnect to the network and the internet.
It's been a lot of work but you now know for sure that your machine is
virus-free and reasonably secure against attack in future.
Attack Mitigation
There
are a number of steps you can take to limit the damage done by a system
compromise. Not all apply to all systems and some require additional
software but they can make you life considerably easier if you are
unfortunate enough to be hacked.
File Signatures Keeping a
database of file signatures can help you pinpoint any files which
change unexpectedly. This is often one of the first signs of a security
breach. You can get free file signature checkers from a number of
sources, we suggest WinTerrogate (all versions of windows, basic but
effective) from http://winfingerprint.sourceforge.net or LANGuard File
Integrity Checker (NT/2000 only, more advanced) from
http://www.gfi.com/languard
Image Files Taking an image of
your disk regularly can dramatically reduce the amount of work involved
in recovering from a security breach. The best known tool for doing
this is Norton's GHOST although there are other options. You should
keep two or three images files on non-volatile media and update them
regularly.
Keep the data on a separate partition. Keeping
your data on a separate partition (ideally on a separate disk) will
reduce the amount of work needing done if you have to rebuild the
system. It also makes backing up much easier and can improve overall
system performance.
www.str8junk.com
About the Author
An elite team of regular "Joes's" fighting back & making huge cash online one day at a time. dDawg as a team has been able to create a profit on the internet. http://www.str8junk.com
