I've been hacked -- I think ... |
 |
By SearchWindowsSecurity.com Editors
21 Apr 2005 | SearchWindowsSecurity.com |
|
|
The following is the Featured ITKnowledge Exchange Tip for April 21, 2005.
Question
"LMullen" writes: I'm an IT administrator with a little over 500 end users, running Windows 2000 and XP. One of our users is experiencing a problem with her Internet connection suddenly dropping for no apparent reason. When she restarts her computer, everything works fine for awhile, but then the connection drops again. The funny thing is, she's noticed that her AOL Instant Messenger service still works even when she can't access her e-mail. We've already run Netstat and noticed that more unknown open connections are being used to certain ports. This particular user has a laptop and works from home frequently, so we're not sure all updates have been installed.
Has her computer been hacked? If so, what can I do initially to contain the damage, and what steps can I take to prevent such occurrences in the future?
Responses
"DrillO" writes: The best you can do is install antispyware as suggested and start your cleanup there. There are many other places to go, but that would be a start. The largest part of all of this is prevention. The standard setup for machines attaching to the network should be a good antivirus solution and a good antispyware solution. Yes, I know that you cannot beat everything, but you must excercise caution. It is also important to manage and maintain updates. If this is a personal machine, then you should insist that these things are taken care of if they want to plug in to your network. If it is a corporate or company owned machine, then you must be sure that the machine is surrendered regularly for maintenance.
"jpagel" writes: My personal suggestion would be for you to go get Microsoft AntiSpyware once it's up to date. I would also go download Ad-Aware, Spybot Search & Destroy and SpywareBlaster. Make sure you update all of them before running.
If there is an antivirus on the machine, I would make sure it is up to date and run a full system scan on it in safe mode with system restore turned off (alone with all your other antispyware scans), because viruses and spyware have a tendency to keep themselves in the system volume information and system restore. This allows them to come back easily due to the fact that a lot of scans do not scan there by default because system restore basically "locks" the folder. If you do not have an antivirus, I would suggest Computer Associates EZArmor, which is their AV/firewall combo. It is a very "lite" program as far as not using much memory and space (compared to using Norton or McAfee). There are updates out for the AV every day, and if there is a new version out, you have full access to download and install it (for the first year). Also the firewall is very easily configurable, and the whole suite is very easy to us. Make sure that your Windows Operating System is up to date. If the machine is XP, make sure SP2 is installed. All this can be accessed from here.
I doubt you have been hacked. Make sure you check the 'hosts' files on your machine, but most likely the dropping off of the network is due to spyware or a virus.
"marcjacquard" writes: First of all, until you know what the issue is, do not allow this machine to plug into the corporate network. You have no idea what is running and what the damage could be. Second, you need to decide if you are going to spend the time necessary to debug and fix the machine or just rebuild it and start over. Once you have fixed the machine, install A/V, antispyware and a good desktop firewall. Anything not from Computer Associates is a good choice. Reviews on security products indicate they score the lowest on almost all points.
Also, AOL messenger has the potential for bringing things into the network. You should rethink the use of this product on company owned equipment.
Get additional recommendations here.
Start your own discussion
Do you have a Windows security dilemma that needs quick attention? Talk about it in ITKE.
About the ITKnowledge Exchange
ITKnowledge Exchange is a place where IT pros can share ideas, expertise and get answers to their technical and strategic questions. It provides direct access between groups or individuals who are grappling with similar IT issues in a safe and seamless environment. Click to start participating today or go to the Tip of the Week archives.
|
|
|
|
