You've been hacked: Stage three -- Recovery

By Lindsay Mullen, Assistant Editor 21 Apr 2005 | SearchWindowsSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Lawrence Abrams: Using patch management tools or manual intervention, make sure all computers have antivirus, spyware removal software and Windows updates installed. Each computer should be armed with not only AV software, but also at least two antispyware programs.

Kevin Beaver: If a formal investigation is not going to be pursued, the main concern here is making sure the system is clean before putting it back online. This may involve restoring it from a known good backup, or if that's not reasonable, booting it up (off the network) and running various utilities such as antispyware, antivirus, rootkit detection/removal, TCP/UDP port mappers, personal firewall with application protection, etc., to make sure it's clean.

Also, change any passwords that would've been stored on the local system (Windows, AIM, etc.). Once the system is clean, you can install a network analyzer on it (preferably a commercial program such as Sniffer or EtherPeek that's easy to use) before putting it back on the network.

The next step would be to start capturing packets or at least monitoring protocols and connections to ensure nothing suspicious or malicious is going on.

Tony Bradley: Assuming that the pings to both addresses work, I would do a tracert to an external Web site to determine where communication is failing. Assuming that the system is a Windows operating system, I would check the event, system and security logs for any information or evidence of suspicious activity. Obviously, the ports discovered from the Netstat scan should be investigated. I would do a Google search for the suspicious port numbers to identify known Trojans, backdoors or other malware that utilize those specific ports.

Your response, both initial and long term, depends on your company policies and your own abilities. Many companies have a policy to simply reformat or re-image a machine that appears to be compromised, and doing so virtually guarantees the problem will be removed -- at least short term.

If deeper forensic investigation is warranted, the machine could be quarantined or an image of the drive created. However, doing so requires resources in terms of people, equipment and time, and the results may not be worth the time invested to find them.

Stage four: Preventative measures

About the experts: Expert bios are available on the scenario page.

Tags: Network intrusion detection and prevention and malware removal,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary