What to do if you've been hacked.

If you find you've been hacked, simply deleting Trojan horse or closing open share is often not enough. Using initial security breach as an entry point, an attacker could easily have created other backdoors into your system or even modified actual operating system itself. Because of this there is only one real way to secure a system which has been compromised and that is to reinstall it from a known-good source. This document describes steps involved in recovering a typical windows system from a security compromise.

Step 1 : Isolate affected machine. You should disconnect any compromised machine from both internet and any local network as soon as you realize it's been compromised. This helps limit potential damage both to your own systems (remote attackers can no longer gain access) and to other systems on internet (your machine cannot be used to attack others). It's important to physically disconnect machine from network. That's right, unplug network cable or power off modem . Cable and DSL modems in particular often feature 'standby' buttons which claim to isolate computer from network - in several cases this is simply not true, even with modem in standby mode computer is still connected to network.

At this point you should consider what other actions you need to take. Do you for example store bank or credit card details on your PC? If you do, you should inform appropriate organizations that your accounts may be compromised at once. Have you used your credit card number online recently? Again, if you have you should inform credit card company that your number may have been compromised.

Any password or secure data stored or used on your PC should be assumed to have been compromised and changed at once. This includes ISP access passwords, FTP, email and website passwords as well as any other service you use which requires a secure login.

Step 2 : Find out how serious problem is. If you only have one computer you can safely skip this section, those with home networks should read on. A compromised machine on a network can lead to compromise of all other machines connected to that network. The risk of this happening depends on a number of things, including :

The length of time security breach has gone undetected. Be honest with yourself and assume worst case scenario is true when evaluating this. When did you first suspect something might be wrong? When did you last scan your network for viruses and Trojan horses? When did you last verify that your files hadn't been tampered with? The longer a compromised machine has been on a network greater chances of other machines on network being affected are.

The type of network you run. If all machines on your network have unrestricted access to and from compromised machine, chances of a network-wide security breach increase dramatically. On other hand, if you restrict access between machines either by using desktop firewall products or by means of username/password authentication risk falls.

The presence (or absence) of anti-virus and desktop firewall software. If each machine runs properly maintained, independent anti-virus and desktop firewall software risk of a network-wide security breach falls sharply.

Step 3 : Begin cleanup. Locate original software distribution disks for your operating system, any drivers you need for your system and any license information you'll need during installation. You will be performing a clean install on affected machines, so you will loose any data stored on them unless you have backups. If you haven't got recent backups, follow procedure below :

What Exactly is a DDOS Attack?

It was in early 2000 that most people became aware of dangers of distributed denial of service (DDoS) attacks when a series of them knocked such popular Web sites as Yahoo, CNN, and Amazon off air.

It's been almost four years since they first appeared, but DDoS attacks are still difficult to block. Indeed, if they're made with enough resources, some DDoS attacks - including SYN (named for TCP synchronization) attacks - can be impossible to stop.

No server, no matter how well it's protected, can be expected to stand up to an attack made by thousands of machines. Indeed, Arbor Networks, a leading anti-DDoS company, reports DDoS zombie armies of up to 50,000 systems. Fortunately, major DDoS attacks are difficult to launch; unfortunately, minor DDoS attacks are easy to create.

In part, that's because there are so many types of DDoS attacks that can be launched. For example, last January, Slammer worm targeted SQL Server 2000, but an indirect effect as infected SQL Server installations tried to spread Slammer was to cause DDoS attacks on network resources, as every bit of bandwidth was consumed by worm.

Thus, a key to thinking about DDoS is that it's not so much a kind of attack as it is an effect of many different kinds of network attacks. In other words, a DDoS may result from malignant code attacking TCP/IP protocol or by assaulting server resources, or it could be as simple as too many users demanding too much bandwidth at one time.

Typically, though, when we're talking about DDoS attacks, we mean attacks on your TCP/IP protocol. There are three types of such attacks: ones that target holes in a particular TCP/IP stack; those that target native TCP/IP weaknesses; and boring, but effective, brute force attacks. For added trouble, brute force also works well with first two methods.

The Ping of Death is a typical TCP/IP implementation attack. In this assault, DDoS attacker creates an IP packet that exceeds IP standard's maximum 65,536 byte size. When this fat packet arrives, it crashes systems that are using a vulnerable TCP/IP stack. No modern operating system or stack is vulnerable to simple Ping of Death, but it was a long-standing problem with Unix systems.

The Teardrop, though, is an old attack still seen today that relies on poor TCP/IP implementation. It works by interfering with how stacks reassemble IP packet fragments. The trick here is that as IP packets are sometimes broken up into smaller chunks, each fragment still has original IP packet's header as well as a field that tells TCP/IP stack what bytes it contains. When it works right, this information is used to put packet back together again.

What happens with Teardrop, though, is that your stack is buried with IP fragments that have overlapping fields. When your stack tries to reassemble them, it can't do it, and if it doesn't know to toss these trash packet fragments out, it can quickly fail. Most systems know how to deal with Teardrop now, and a firewall can block Teardrop packets at expense of a bit more latency on network connections, since this makes it disregard all broken packets. Of course, if you throw a ton of Teardrop busted packets at a system, it can still crash.