THE ABC's of Hacking Recovering from a system compromise.What to do if you've been hacked.
If you find you've been hacked, simply deleting
Trojan horse or closing open share is often not enough. Using initial security breach as an entry point, an attacker could easily have created other backdoors into your system or even modified actual operating system itself. Because of this there is only one real way to secure a system which has been compromised and that is to reinstall it from a known-good source. This document describes steps involved in recovering a typical windows system from a security compromise.
Step 1 : Isolate affected machine. You should disconnect any compromised machine from both internet and any local network as soon as you realize it's been compromised. This helps limit potential damage both to your own systems (remote attackers can no longer gain access) and to other systems on internet (your machine cannot be used to attack others). It's important to physically disconnect machine from network. That's right, unplug network cable or power off modem . Cable and DSL modems in particular often feature 'standby' buttons which claim to isolate computer from network - in several cases this is simply not true, even with modem in standby mode computer is still connected to network.
At this point you should consider what other actions you need to take. Do you for example store bank or credit card details on your PC? If you do, you should inform appropriate organizations that your accounts may be compromised at once. Have you used your credit card number online recently? Again, if you have you should inform credit card company that your number may have been compromised.
Any password or secure data stored or used on your PC should be assumed to have been compromised and changed at once. This includes ISP access passwords, FTP, email and website passwords as well as any other service you use which requires a secure login.
Step 2 : Find out how serious problem is. If you only have one computer you can safely skip this section, those with home networks should read on. A compromised machine on a network can lead to compromise of all other machines connected to that network. The risk of this happening depends on a number of things, including :
The length of time security breach has gone undetected. Be honest with yourself and assume worst case scenario is true when evaluating this. When did you first suspect something might be wrong? When did you last scan your network for viruses and Trojan horses? When did you last verify that your files hadn't been tampered with? The longer a compromised machine has been on a network greater chances of other machines on network being affected are.
The type of network you run. If all machines on your network have unrestricted access to and from compromised machine, chances of a network-wide security breach increase dramatically. On other hand, if you restrict access between machines either by using desktop firewall products or by means of username/password authentication risk falls.
The presence (or absence) of anti-virus and desktop firewall software. If each machine runs properly maintained, independent anti-virus and desktop firewall software risk of a network-wide security breach falls sharply.
Step 3 : Begin cleanup. Locate original software distribution disks for your operating system, any drivers you need for your system and any license information you'll need during installation. You will be performing a clean install on affected machines, so you will loose any data stored on them unless you have backups. If you haven't got recent backups, follow procedure below :
Start up compromised machine without connecting to any network. Copy any data files you wish to keep to floppy disks or cd-r media, if at all possible in non-executable form (ie. save word files as rich text since it can't contain macro viruses). DO NOT COPY PROGRAM FILES! Label this media clearly as potentially infected and store it safely. You are now ready to begin rebuilding your machine. To be absolutely sure that your system does not remain compromised, follow steps below before installing your operating system.
