Recovering
from a system compromise.
What to
do if you've been hacked.
If you find you've
been hacked, simply deleting the troajn horse or closing the open
share is often not enough. Using the initial security breach as an
entry point, an attacker could easily have created other backdoors
into your system or even modified the actual operating system itself.
Because of this there is only one real way to secure a system which
has been compromised and that is to reinstall it from a known-good
source. This document describes the steps involved in recovering a
typical windows system from a security compromise.
Step 1 : Isolate
the affected machine.
You should
disconnect any compromised machine from both the internet and any
local network as soon as you realise it's been compromised. This helps
limit the potential damage both to your own systems (remote attackers
can no longer gain access) and to other systems on the internet (your
machine cannot be used to attack others). It's important to physically
disconnect the machine from the network. That's right, unplug
the network cable or power off the modem . Cable and ADSL modems in
particular often feature 'standby' buttons which claim to isolate
the computer from the network - in several cases this is simply not
true, even with the modem in standby mode the computer is still connected
to the network.
At this point you
should consider what other actions you need to take. Do you for example
store bank or credit card details on your PC? If you do, you should
inform the approritate organizations that your accounts may be compromised
at once. Have you used your cerdit card number online recently? Again,
if you have you should inform the credit card company that your number
may have been compromised.
Any password or
secure data stored or used on your PC should be assumed to have been
compromised and changed at once. This includes ISP access passwords,
FTP, email and website passwords as well as any other service you
use which requires a secure login.
Step 2 : Find
out how serious the problem is.
If you
only have one computer you can safely skip this section, those with
home networks should read on.
A compromised machine on a network can lead to the compromise of all
other machines connected to that network. The risk of this happening
depends on a number of things, including :
If you are in any
doubt as to whether or not a machine has been compromised, assume it
has and treat it accordingly. Remember, one compromised machine can
easily re-infect all the others on the network.
Step 3 : Begin
the cleanup.
Locate the
original software distribution disks for your operating system, any
drivers you need for your system and any licence information you'll
need during the installation. You will be performing a clean install
on the affected machines, so you will loose any data stored on them
unless you have backups. If you haven't got recent backups, follow the
procedure below :
- Start up the compromised
machine without connecting to any network.
- Copy any data files
you wish to keep to floppy disks or cd-r media, if at all possible
in non-executable form (eg. save word files as rich text since it
can't contain macro viruses). DO NOT COPY PROGRAM FILES!
- Lable this media
clearly as potentially infected and store it safely.
You are now ready
to begin rebuilding your machine. To be absolutely sure that your system
does not remain compromised, follow the steps below before installing
your operating system.
- Restart your PC
in DOS mode (NT/Win2k users should boot from the cd-rom or setup disks)
- Use the FDISK command
to delete all partitions on the disk (NT/2k users should follow the
appropriate prompts in the setup program)
- Power cycle your
PC with the setup disk in the floppy drive or CD-Rom drive as appropriate
(switch off, wait 10 seconds, switch on). This applies to all versions
of windows including NT and win2k (power cycle after removing the
partitions, don't worry about still being in the setup utility) and
ensures that any memory-resident or boot sector virus is removed.
- Reload your operating
system & required drivers from the original disks.
At this point you'll
have a working system with no software installed other than the operating
system & drivers. Assuming you used only original media, the system
will be free of any trojan horse or virus but may not be secure.
Step 4 : Secure
your system and load additional software.
You now need to obtain
and apply the latest security patches for your operating system. Ideally
you should download these from their source using another machine and
apply them from disk. If that is not possible, connect your rebuilt
system to the internet for the minimum period possible to obtain the
patches you need. Apply them at once. You should be aware that this
opens your system to potential compromise while you are downloading
the patches so keep the connection as short as possible. Windows 98,ME
and 2000 users can use the 'Windows Update' function to automatically
update their systems.
Once your system is
updated, you can begin installing additional software. Be sure only
to use software you know has not been tampered with, ideally from original
distribution media. If necessary, download a fresh copy from the source
and use that. Install software in a logical order, beginning with security-related
products (anti-virus, firewall etc.).
Step 5 : Finishing
off
Once you've installed
and configured all your software you are ready to begin restoring the
data from backups. Before doing so, you may wish to make an image copy
of your system using a utility such as norton's ghost. This will allow
you to quickly restore the machine to a known clean state in the event
of future compromise. If you do this, store the image on non-volatile
media such as CD-Rom. You may also wish to take a 'fingerprint' of the
files installed on your machine to enable comparison in future. See
'Attack Mitigation' for details on this.
When you eventually
restore the data, do so gradually especially if you copied the files
from an infected machine. Virus scan each one first and discard any
with unexpected macros.
That's it, your machine
is now rebuilt and ready to reconnect to the network and the internet.
It's been a lot of work but you now know for sure that your machine
is virus-free and reasonably secure against attack in future.
Attack
Mitigation
There are a number
of steps you can take to limit the damage done by a system compromise.
Not all apply to all systems and some require additional software but
they can make you life considerably easier if you are unfortunate enough
to be hacked.
- File Signatures
Keeping a database
of file signatures can help you pinpoint any files which change unexpectedly.
This is often one of the first signs of a security breach. You can
get free file signature checkers from a number of sources, we suggest
WinTerrogate (all versions of windows, basic but effective) from http://winfingerprint.sourceforge.net
or LANGuard File Integrity Checker (NT/2000 only, more advanced) from
http://www.gfi.com/languard
- Image Files
Taking an image of your disk regularly can dramatically reduce the
amount of work involved in recovering from a security breach. The
best known tool for doing this is Norton's
GHOST although there are other options. You should keep two or
three images files on non-volatile media and update them regularly.
- Keep the data
on a seperate partiton.
Keeping your data on a seperate partition (ideally on a seperate disk)
will reduce the amount of work needing done if you have to rebuild
the system. It also makes backing up much easier and can improve overall
system perfomance.
Other References
CERT
- Steps for Recovering from a Unix or NT System Compromise
This is a technical
document, aimed at those running networks in a business environment
but much of the information applies to any system compromise situation.
CERT
- Securing your Home Network
A less techinal guide to
improving security on your home network. Especially valuable for those
with Cable Modems or ADSL.
|
