Network management Toolkit

You've been hacked: What to do in the first hour

Robert L. Bogue Tech Republic

Published: 14 Jul 2003 10:15 BST

The next step is to review group memberships to ensure that no new users have been given more group memberships and therefore more privileges than they should have. Pay particular attention to the administrators group, since this group membership essentially allows users to do anything they want to the system. The easiest way to approach this is to go to each group and review its memberships. If a user account has a membership it shouldn't have, you should remove the membership and flag the account for further evaluation.

You'll also need to review the access control lists (ACLs) for the system. This is probably best done with a tool such as SomarSoft, which allows you to capture all the ACLs from the system and output them to an easily readable format. You're looking for entries that appear to give more access than is appropriate. On the logs side of the evaluation process, you should first review the existing logs for abnormal patterns of usage, excessive errors, or anything that just doesn't look right. You should also turn up logging to its maximum levels so that you can track further attempted attacks. This step may have performance implications and may require that the logs be expanded. This is a normal recourse when you've been hacked. But if the logging level is so high that you'll never be able to review all the logs, you should reduce the level so that the logs are manageable.

If you do find log entries that you aren't comfortable with, the system should be isolated until the source of those entries can be identified or until you can provide detailed observation of the system. Log entries can indicate successful and unsuccessful attempts to use security, but most frequently, they're set to capture only information pertaining to failed attempts. It's quite possible that you'll quit seeing failure events in the log because the hacker has gained access.

An important step is to verify that no Trojan horse programs are loaded and running on the systems. These are typically identified by antivirus programs, but they aren't always detected by every scan engine. If you want to check your systems with an alternative antivirus engine, try Trend Micro's online scanner.

Rebuild the compromised systems
After compromised systems have been discovered, your next challenge is to figure out what to do with them. You will have determined which systems are affected and reviewed security settings to ensure that the intruder hasn't created another opening. However, dealing with compromised systems is difficult because the best way to handle them is impractical for most environments.

Ideally, a compromised system would be rebuilt from scratch or restored from a backup that was made before the compromise happened. Rebuilding from scratch is exceedingly time consuming. However, determining which backup to use for a restore can be difficult because it may not be possible to pinpoint the exact time of the compromise. As a result, you must guess which backup is not compromised and then reevaluate it after the restoration is done. If the compromise is still evident after the restore, you must use an even earlier backup.

Rebuilding compromised systems is painful but necessary to complete before the systems are returned to service. Because of the urgency and the pain of a proper restoration, many organisations choose to patch a system, close vulnerabilities, and either hope that the system has been cleaned or come back to the system later.

Go to section: