Windows Security Clinic: You've been hacked! Now what?

If you think a workstation has been hacked, you must identify and troubleshoot the problem immediately. Three Windows security experts offer possible courses of action to take.

If you have to support end users in your organization, you're probably familiar with frantic claims like "I think

I've been hacked!" whenever a computer fails. While some situations require immediate action, others are simple cases of user overreaction. To help you identify and troubleshoot when a user has truly been hacked, check out the following scenario. We'll present an end-user's problem followed by diagnoses and possible courses of action to take from three Windows security experts. Then, go to ITKnowledge Exchange to read what your peers have to say about the problem and to share your own thoughts.


The user's problem

"I'm an IT administrator with a little over 500 end users running Windows 2000 and XP. One of our users is experiencing a problem: Her Internet connection drops suddenly for no apparent reason. When she restarts her computer, everything works fine for awhile, but then the connection drops again. The funny thing is, she's noticed that her AOL Instant Messenger service still works even when she can't access her e-mail. We've already run Netstat and noticed that more unknown open connections are being used to certain ports. This particular user has a laptop and works from home frequently, so we're not sure all updates have been installed. Has her computer been hacked?"

More Security Clinics
  • Rooting out a rootkit
  • Got spyware? Clean it up
  • The experts' remedy

    Stage one: Diagnosis
    Given the information in the scenario, has this person been hacked or not? Click here to find out.

    Stage two: Immediate actions
    What steps should you take within the first 24 hours after a workstation has been hacked to prevent further damage? Click here to find out.

    Stage three: Recovery
    After the first critical 24-hour window passes, what should you do to start getting Windows back on track? Click here to find out.

    Stage four: Preventative measures
    How can you avoid being hacked in the future? Click here to find out.


    About the experts

    Lawrence Abrams: CTO of a New York City, NY.-based ISP, and owner/creator of BleepingComputer.com, a Web site devoted to teaching basic computer concepts focusing on the removal of malware.

    Kevin Beaver: CISSP, Principle Logic, LLC, author of Hacking For Dummies, co-author of Hacking Wireless Networks For Dummies and SearchWindowsSecurity.com's Windows Security Threats expert.

    Tony Bradley: CISSP-ISSAP, MCSE2k, MCSA, A+, editor of the About.com Guide for Internet/Network Security and creator of the Essential Computer Security.



    This was first published in April 2005

    Dig deeper on Network intrusion detection and prevention and malware removal

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchVirtualDesktop

    SearchWindowsServer

    SearchExchange

    Close