backup

Help! I Think I’ve Been Hacked!!

Your computer starts to run a little weird. You notice the drive light blinking when you aren’t doing anything and the system seems a little slow. In the middle of writing an important document for work your system suddenly reboots for no reason. At first you may shrug it off, then you notice some weird program in your Startup group. There is a good chance your system has been hacked.

Had you been exposed to a massive dose of gamma radiation you might turn green and ripped with muscles bursting out of your clothes and set off destroying everything in your path until you find the perpetrators and make them pay. Since your average person can’t turn into The Incredible Hulk, we have to settle for getting angry and saying “help! I think I’ve been hacked!!”

Various emotions may overtake you but it is important to act quickly and decisively to stop any ongoing intrusions, determine the extent of the damage caused and secure and protect your system for the future.

Unfortunately, if you did not prepare in advance for such an incident you probably are finding out much later than you should have and you have next to nothing to go on in trying to determine what occurred- how did the intruder get in? When did they intruder get in? What changes have been made to the system?

When you first realize you may have been hacked you need to decide your course of action. Your initial reaction may be to disconnect your computer from the Internet or shut it down entirely to break the connection with the hacker. Depending on the situation this may be the way to go. However, you may find many more clues and gather more evidence by performing certain actions while the system is still live.

If the system in question contains sensitive or classified material that you feel might be in jeopardy or if you believe your computer might be infected with a virus or worm that is actively propagating (sending itself out) from your computer you probably need to go ahead and disconnect from the Internet at the very least.

There are six essential phases that make up incident response:

  • Prepare to detect and respond to incidents
  • Detect incident
  • Gather clues and evidence
  • Clean system and patch vulnerabilities
  • Recover lost data or files
  • Take lessons from incident and apply them to secure for future

    • As I mentioned earlier, if you didn’t already do the first one (prepare to detect and respond to incidents) then you also probably didn’t detect the hacker until way after the initial intrusion. So, by the time you figure out the hard way that you have been hacked you are on phase 3 already. If you didn’t prepare odds are also pretty good that you don’t perform regular backups of your system data so step 5 probably won’t work either.

    See how quickly this goes? Just by not properly preparing to detect and respond to incidents you have already cut the list down from 6 phases to 3. I think when you get to phase 6 (take lesson from incident and apply them to secure for future) though that one of the primary lessons would be that you should have been better prepared so hopefully that will change for your next incident.

    We’re not on phase 6 though- we’re still on phase 3: gather clues and evidence. One of the first things you should do is to try running netstat. Netstat is a utility that will show you all open ports on your computer and your current connections. If your hacker is sloppy you may even be able to find his source IP address using netstat.

    To use netstat you need to open a command prompt window and type “netstat” followed by the parameters you want to use. The available parameters are:

  • -a displays all connections and listening ports
  • -e displays Ethernet statistics
  • -n displays addresses and port numbers in numerical form
  • -o displays the owning process ID associated with each connection
  • -p proto shows connections for the protocol specified (TCP, UDP, etc.)
  • -r displays the routing table
  • -s displays statistics broken down by protocol
  • interval redisplays selected statistics at the assigned interval

    • Using netstat can yield a ton of valuable information. You may be able to find open ports, connections to IP addresses or connections opened by processes that you are not aware of. For your evidence gathering purposes you will want to export the results to a text file that you can save and refer back to later. Typing “netstat –an >c:\log.txt” will run netstat using both the –a and the –n parameters and will save the results to a file called “log.txt” on your C drive. You can change the drive and file name to anything you choose.Another action you can perform is to validate your users and their privileges. Check out the list of users on the machine to make sure there haven’t been any new users created that you aren’t familiar with. Additionally, you should verify that the existing users have the appropriate permissions assigned. The hacker may have taken one or many accounts and granted it administrative permissions.

    On Windows systems you can also view the Task Manager or the Event Viewer for more clues. The Task Manager will show you all running applications. You can check this to see if there are programs running that you don’t know about. Many hacker tools and utilities will not show up as an application, but may show up on the Processes tab. Click the Processes tab to see all running processes along with the username that initiated each process. Often the applications and processes are intentionally named to look like normal system files so you need to look closely.

    The Event Viewer most likely won’t offer much in the way of valuable evidence because logging the sort of information you really want would have required preparation (See Plan Ahead to Catch an Intruder). But, it can’t hurt to look. By default there are three logs maintained on a Windows system- Application, Security and System. If you have certain services enabled like DNS or IIS or use some third-party applications you may have Event Viewer logs for those as well. You can look through the logs to see if any entries were made at odd times when you know you weren’t using your computer or if there were errors cause by programs you know you haven’t used.

    OK. So you’ve scanned through the computer looking for the clues and evidence you need to try and figure out who hacked your system, when and how. Now its time to move on to phase 4 (clean system and patch vulnerabilities) and get your system back into non-hacked operational status.

    There are steps you can take and tools you can use to be relatively sure the system is cleaned and secure. However, the tools rely on knowledge of existing hacker tools and techniques. There is always the possibility that your hacker did something different that won’t be picked up and you may miss a backdoor, Trojan or other trick that may allow him to infiltrate your system again. If you have backups of your critical data your best bet is to completely format your hard drive and reinstall your entire system from scratch and then patch and secure it.

    If you don’t have backups of your data or that sounds too extreme for your taste you need to do what you can to make sure the system is clean. If you have not previously unplugged the Internet connection now would be the time to do that, but, if the hacked computer is your only computer, you may need to download some of the tools and updates you will need before disconnecting. If your system is too damaged or you feel better disconnecting it from the Internet you will need to find a second computer to download the software you will need.

    To remove any viruses or worms you should install antivirus software and scan your system. Before starting you should get the latest virus definitions from your antivirus software vendor. New malicious code is discovered almost daily and most antivirus software vendors release updates at least weekly to include the new threats.

    Antivirus software can generally detect most Trojan programs on their way into your system, but may not be able to detect or remove one that is actively running on your system. You can use a tool like The Cleaner to detect and remove Trojan programs from your computer. Make sure you use a current version so that the database is as up to date as possible.

    I would also perform a scan using a spyware detecting program such as Ad Aware 6.0 or Spybot Search & Destroy (See Free Spyware Removal and Blocking Software). Many freeware and programs downloaded from the Internet may contain programs like these which monitor your actions and secretly report them back to some outside server via the Internet.

    If you discovered any errant user accounts or permissions you will want to remove those. Delete any users that you are sure should not exist on your system and set the permissions and group membership for each of the users to what you believe it should be.

    If you see other programs or processes from your evidence gathering efforts with the Task Manager that have not been eradicated still you can manually remove them. I would recommend you start by renaming the program file or simply moving it to another location in case it really is needed by your system and just looks weird to you. For processes you can disable the ability for the process to start. These interim steps give you an opportunity to try running your system to make sure these files aren’t necessary. If it turns out they aren’t necessary then you can go permanently remove them later.

    After all of this is completed and you have rebooted the computer you should run netstat again to determine what ports are open on your computer and close the unnecessary ones. To get an idea of what ports are commonly used for what you can refer to this list: TCP / UDP Ports . Or, to see specifically what ports are used by known Trojans you can look here: Trojan List Sorted on Port

    If you do have a backup of your system data, but did not want to completely rebuild your system from scratch you can still restore your system data at this time. However, depending on how frequently you backup your data and how long the hacker has been in your system the data on your backup may be corrupted as well. Make sure that any files you restore are also scanned for viruses and Trojans.

    Now you are ready to move on to phase 6- take lessons from incident and apply them to secure for future. The primary lesson would be to secure your system better in the first place. The secondary lesson is to set up some monitoring that can alert you when intrusion occur or at least give you some log information to refer back to once you detect an intrusion.

    If you were not already running antivirus software, you should get one installed immediately. You can look at the Free Antivirus & Virus Removal Software on this site or purchase a commercial product such as McAfee Virus Scan or Norton Antivirus.

    As important as installing the antivirus software in the first place, it is imperative that you keep it updated. New malicious code threats are discovered just about every day. If you don’t update your antivirus software weekly you will be exposed to any new threats that have come out since you last updated.

    You also need to keep your system patched. For Microsoft Windows machines you can enable the auto-update feature which will notify you when there are new critical patches available for your system. No matter what operating system or application you use, you should frequent the vendor’s web site and join any alert mailing lists available from the vendor to make sure you are aware when new vulnerabilities are discovered or new patches released. You can also subscribe to general vulnerability mailing lists such as Bugtraq

    One more level of defense I would recommend is a firewall. Hardware firewalls such as the ones found in DSL / cable routers are good for filtering incoming traffic, but for security purposes a software firewall such as ZoneAlarm installed on your computer will work more effectively. Using personal firewall software (See Top Picks) will not only block unauthorized incoming traffic, but will also stop unauthorized outbound traffic. This is helpful so that if you do open a malicious email attachment or something not detected by your antivirus software and a worm or Trojan tries to establish a connection it will be blocked and hopefully you will be notified. Many offer additional security features you may find useful as well.

    That should about cover you in terms of securing yourself against future hacker intrusions. But, in case the unthinkable happens again there are steps you should take to prepare to handle it better. First, turn on auditing where you can. By monitoring and logging access to files or failed logon attempts you can maintain a record which may help you determine when you were hacked or what files may have been tampered with. See Plan Ahead to Catch an Intruder for more information on security auditing and logs.

    You should also backup your important or critical data regularly. This makes good sense for more reasons than I can name. You never know when your hard drive could just die or you may even accidentally wipe out a directory. You should set up a schedule to backup regularly that works for you- daily, weekly or whatever. You should also maintain more than one backup if possible. In other words, if you are backing up weekly keep two or three weeks worth of backups before you copy over or dispose of the oldest one. That way if you happen to lose one or it is corrupt for some reason you still have another backup to fall back on.

    One final tool you may want to employ to catch future intrusions or intrusion attempts is an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). There are different ways of performing intrusion detection or prevention and I don’t have the space here to go into detail. The bottom line is that these tools are designed to detect when suspicious behavior is occurring on your network and respond in some way- alerting you or blocking the alleged attack or some other response.

    If you want to ensure file integrity you can install a program like Tripwire. Tripwire monitors files and compares them against a known good version to ensure the integrity of the file. It can provide you with logs detailing what changes were made, when they were made and by who. Using a program like Tripwire will quickly alert you if a malicious intruder tries to modify any of your system files or data and will allow you to quickly recover from any damage that is done.

    That’s all there is to it. It is unfortunate that you were hacked, but following the standard phases of incident response you were able to recover and get your system fully operational in a reasonable timeframe. So, quit wishing for an overdose of gamma radiation to hit you so you can morph into a raging green creature and exact your revenge on the perpetrators. Instead, focus on getting the right tools installed and configured to protect your system and prepare to detect and recover from your next intrusion even quicker.

    Tags: Incident Response / Forensics by Tony Bradley
    Comments Off

    Backup For Workgroups v2.0

    Rating four

    The Bottom Line

    If you are in need of a relatively inexpensive, yet fast and reliable backup program for your network you should take a look at Backup For Workgroups. BFW will automatically backup data from all of your workstations and servers to one central location. After the initial backup it performs incremental backups of only the data that is new or changed in order to speed up the backup process. BFW is easy to configure, it is fast and it is reliable.
    Pros
    • Easy automatic scheduled backups for your whole network
    • Backup data is encrypted to protect it from unauthorized access
    • Incremental backups are fast with less impact on the network
    Cons
    • None

    Description

    • Version 2.0 works to backup Active Directory and Exchange servers
    • Fast and reliable backups. Automated backups are easy to configure and schedule
    • Create a mirror of the data repository for added safety to ensure your data is available
    • Files that are common to multiple workstations are only backed up once to conserve space
    • Generate a custom report to walk step-by-step through a complete restore on a bare computer system
    • Automatically turns off programs such as Outlook so that the PST data file can be backed up

    Guide Review – Product Review: Bakcup For Workgroups

    Late last year I reviewed a product from Lockstep Systems called Backup For One. Backup For One is an excellent program- easy to configure and perform automated backups of your data. It had one significant drawback though- it is “For One”.Fortunately for those looking for a network solution rather than a single computer backup solution Lockstep also offers Backup For Workgroups. With the recent release of Version 2.0 this program has added functionality that makes it ideal for many small to medium sized networks.

    After setting up the data repository and installing agents on the workstations, it is simple to create customized backup sets and schedule automated backups. BFW can be set to automatically shut down programs like Outlook so that the PST file can be backed up, and then restart them when the backup is complete.

    I configured BFW to automatically email me a report after each backup so that I would have a record that the backup completed successfully. The report also lists any files that may have been skipped due to being in use or locked by another process so you can make sure that all of your data is backed up. I also set up a data repository mirror on a separate hard drive for increased safety.

    The program isn’t cheap, but its not as expensive as some others and is worth the price if you need an easy and reliable network backup program. You can download a 30-day trial version from Lockstep’s web site.

    I recommend this program for a network backup solution.

    Tags: Product Reviews by Tony Bradley
    Comments Off

    Backup For One

    What Is It?: Backup For One from Lockstep Software is a Windows program that allows you to easily automate backup and restoration of your critical computer data.
    Why Use Backup For One?: Backup For One is flexible and easy to use. You can backup your entire computer with one click or you can create custom sets of files and folders that you would like backed up.Backup For One can be scheduled ot automatically backup at specified intervals and it allows you to backup to various media including external USB or firewire hard drives.
    What Are The System Requirements?: You can install Backup for One on any computer running:

  • Windows XP
  • Windows 2003
  • Windows 98
  • Windows 2000
  • Windows ME
  • Windows NT 4.0
  • Windows 95You will need approximately 5 MB of disk space to install Backup for One.

    You will need a storage device for your backup data. Backup for One stores your data on any external USB or Firewire hard drive device.

    • Features of Backup For One:

  • Automated, disk-based, backup for your Windows computer
  • Flexible scheduling and automatic email reports
  • Automatically closes Outlook or Outlook Express to enable backup of those files and restarts it when the backup is completed
  • One-button backup and one-button restore
  • Custom disaster recovery plan offers step-by-step instructions for rebuilding your system after a crash or other catastrophe
    • Snapshot of Backup For One: Backups are a necessary part of any disaster recovery plan. Whether through malicious code such as a virus or trojan, hardware failure such as a hard drive crash or physical disaster such as a fire or flood, there may come a time when those backups you’ve made regularly will come in handy.That is unless you are from the vast majority of people who don’t think about backing up their data until its too late. Not only is it prudent to back up all of your critical data files and important personal data from your computer, but its important that you store it separately from the computer itself. Your backup won’t do you much good if it becomes a pile of molten plastic in a house fire right next to your computer.

    Traditionally, backup software has relied on tape-based systems. Tape drives offered a large amount of space at a relatively cheap price so that users could back up their entire computer if they wanted to onto one tape. Now that hard drives are dirt cheap it just makes sense to use that as your primary media rather than tape.

    Backup For One allows you to backup your data easily onto disk-based media, including external USB or firewire drives. You can backup your entire system at the push of a button or you can create custom sets of files and folders. Backup For One allows you to set virtually any schedule you like for automatically performing the backups and you can also configure it to automatically email you a status report once the backup is completed.

    I found the software easy to use and easy to configure. Under the preferences you can define how long you want your backup media to be stored, what types of system messages should be written to the log, the email address to receive automated reports or how to encrypt the stored data. The user interface is very clean and user-friendly.

    Windows has built-in backup functionality, but it is not as easy or flexible as this program. Backup For One can help you ensure your data is there for you when you need it.

    Tags: Product Reviews by Tony Bradley
    2 Comments »

    Backup and Restore Data in Windows Vista

    Windows Vista Backup Center

    1-BackupCenter

    Microsoft has included some type of data backup functionality in Windows for years. However, the latest flagship operating system, Windows Vista, has a much improved backup and restore utility.

    In Windows Vista, Microsoft has provided more capabilities and automation and wrapped it up in a more intuitive GUI to help novice users backup the data that should be backed up without having to become disaster recovery or data backup experts.

    To open the Backup and Restore Center, follow these steps:

    1. Click the Start icon at the lower left of the display
    2. Select Control Panel
    3. Choose Backup and Restore Center

    Complete PC Backup

    2-CompleteBackup

    If you select Backup Computer from the right pane, you will see the console displayed here (you will also receive a UAC (User Account Control) warning). Select the location that you want to backup to- usually either an external USB hard drive or a CD / DVD recorder, and click Next. Confirm your selection and click Start Backup to backup the entire contents of your PC.

    Configuring Backup Options

    3-BackupConfigIf you choose Backup Files, Vista will walk you through choosing a destination to backup to (again- this is typically an external USB hard drive or a CD / DVD recorder), and then choosing the drives, folders, or files that you want to include in your backup. Note: If you have already configured Backup Files, clicking on the Backup Files button will instantly initiate a backup. To modify the configuration, you instead need to click on the Change Settings link below the Backup Files button.

    Backup FAQ

    4-BackupFAQ

    Throughout the process of configuring and initiating a backup or restore, you will see questions and phrases that are links you can click on. These links take you to the FAQ (Frequently Asked Questions) and are very helpful for explaining various terms and topics.

    For example, under the Restore heading, it explains that “You can use shadow copies to restore previous versions of files that have been accidentally modified or deleted.” That sounds great…I think. It begs the question “what is a shadow copy?”

    Thankfully, Microsoft already realized the question was begged. Immediately following the explanation sentence, you will find the question “what are shadow copies?” which links to the FAQ to give you an explanation.

    This type of assistance and explanation is always a click away throughout the Backup and Restore Center.

    Select File Types

    5-BackupFiles

    Once you select the location to back up to and the drives you want to back up, you will be prompted to choose the types of files you want to back up.

    Rather than expecting you to know all of the different file extensions and file types, or be technical enough to understand exactly which files to back up, Microsoft has made it simple by providing checkboxes for categories of files.

    For example, you don’t need to know that a graphic image could potentially be a JPG, JPEG, GIF, BMP, PNG, or other file type. You can simply check the box labeled Pictures and the Backup and Restore Center will take care of the rest.

    Set Backup Schedule

    6-BackupSchedule

    You could just manually back up your files whenever you happen to remember to, but that more or less negates the effectiveness and efficiency of this utility. The whole point is to automate the process so your data will be protected without you having to be involved any more than necessary.

    You can choose to back up your data Daily, Weekly or Monthly. If you choose Daily, the “What Day” box becomes grayed out. However, if you choose Weekly, you will need to select what day of the week, and if you choose Monthly, you will need to select what date of each month you would like the back up performed.

    The last option is to choose a time. If you turn your computer off, then you will need to schedule the back up to run at some point while the computer is on. However, using the computer during the backup may make it impossible to back up some files, and the process of backing up will eat systems resources and make your system run slower.

    If you leave your computer on 24/7, it makes more sense to schedule the backup while you are sleeping. If you set it for 2am or 3am, it will be late enough that it won’t interfere if you happen to be up late, and early enough to make sure the backup is complete if you happen to get up early.

    Restoring Data

    7-RestoreCenterIf you click on Restore Files, you are offered two choices: Advanced Restore or Restore Files. The Restore Files option allows you to restore your files that were backed up on the computer you are currently using. If you want to restore data that was backed up on a different computer, or restore data for all users rather than just yourself, you must select the Advanced Restore option.

    Advanced Restore Options

    8-RestoreType

    If you select Advanced Restore, the next step is to let Vista know what type of data you wish to restore. There are 3 options:

    • Files from the latest backup made on this computer
    • Files from an older backup made on this computer
    • Files from a backup made on a different computer

    Select a Backup

    9-RestoreSet

    Regardless of the options you choose, at some point you will be presented with a screen that looks like the image shown here. There will be a list of the available backups and you must select which backup you want to restore from.

    If you wrote a term paper 4 days ago that you accidentally deleted, you obviously would not choose a backup from a month ago since the term paper did not yet exist.

    Conversely, if you are having problems with a file or accidentally altered a file that has been on your system for some time, but you aren’t sure when it got corrupted, you can choose a backup from farther back to try to ensure you go back far enough to get the functional file you are looking for.

    Select Data to Restore

    10-RestoreFiles

    Once you have selected the backup set to use, you need to choose the data you want restored. At the top of this screen, you can simply check the box to Restore everything in this backup. But, if there are specific files or data you are looking for, you can use the Add Files or Add Folders buttons to add them to the restore.

    If you are looking for a file, but you are not sure exactly what drive or folder it is stored in, you can click on Search to use the search function to locate it.

    Once you have selected all of the data you wish to restore from this backup set, click Next to initiate the data restoration and go get yourself a cup of coffee. Soon that investment account information you accidentally deleted, or the important PowerPoint presentation your kid “modified” will be back safe and sound just like you remember it.

    Tags: Configuring Vista Security by Tony Bradley
    1 Comment »

    Backup Your Files with Office Live Workspace

    Microsoft provides a free online file sharing service called Office Live Workspace. Office Live Workspace lets you store and manage files from Microsoft Office programs like Word, Excel, and PowerPoint. You can also synchronize contact, task, and event lists with Microsoft Outlook.

    Microsoft gives each user 5Gb of free space to store data online. There are a couple of advantages to this. First, you can access the data from anywhere with Web access. Rather than carrying sensitive data on USB flash drives when you travel, you can store the data online and access it from your destination. Second, you can share the data with others and use it as a file transfer or collaboration tool.

    Office Live Workspace can also represent a form of secure off-site backup. Granted, 5Gb is not an unlimited amount of storage. You will still need to have a more complete backup solution as well. But, one of the weaknesses of backing up data locally is that a disaster such as a fire or flood can take out your data and your backup at the same time. With Office Live Workspace you can at least take your most important 5Gb of data and store it online where it will survive even when your data and your local backup are destroyed.

    Tags: Blog by Tony Bradley
    Comments Off

    Backing Up Data in Vista

    Back up your data!!! With more consumers relying solely on digital cameras to capture life’s moments, entire photographic and video histories are stored on computer hard drives. If you don’t back up your data, it could all be gone in the blink of a nanosecond. The latest trend in security suites is to include some type of maintenance and backup functionality, and Windows has included at least a rudimentary backup function for a while. Symantec takes it one step farther than the competition, providing [Read more →]

    Tags: Blog by Tony Bradley
    Comments Off