Recovering from a System Compromise

What to do if you've been hacked
If you find you've been hacked, simply deleting the troajn horse or closing the open share is often not enough. Using the initial security breach as an entry point, an attacker could easily have created other backdoors into your system or even modified the actual operating system itself. Because of this there is only one real way to secure a system which has been compromised and that is to reinstall it from a known-good source. This document describes the steps involved in recovering a typical windows system from a security compromise.

Step 1 : Isolate the affected machine
You should disconnect any compromised machine from both the internet and any local network as soon as you realise it's been compromised. This helps limit the potential damage both to your own systems (remote attackers can no longer gain access) and to other systems on the internet (your machine cannot be used to attack others). It's important to physically disconnect the machine from the network. That's right, unplug the network cable or power off the modem. Cable and ADSL modems in particular often feature 'standby' buttons which claim to isolate the computer from the network - in several cases this is simply not true, even with the modem in standby mode the computer is still connected to the network.

At this point you should consider what other actions you need to take. Do you for example store bank or credit card details on your PC? If you do, you should inform the approritate organizations that your accounts may be compromised at once. Have you used your cerdit card number online recently? Again, if you have you should inform the credit card company that your number may have been compromised.

Any password or secure data stored or used on your PC should be assumed to have been compromised and changed at once. This includes ISP access passwords, FTP, email and website passwords as well as any other service you use which requires a secure login.

Step 2 : Find out how serious the problem is
If you only have one computer you can safely skip this section, those with home networks should read on.

A compromised machine on a network can lead to the compromise of all other machines connected to that network. The risk of this happening depends on a number of things, including :


 * The length of time the security breach has gone undetected. Be honest with yourself and assume the worst case scenario is true when evaluating this. When did you first suspect something might be wrong? When did you last scan your network for viruses and trojan horses? When did you last verify that your files hadn't been tampered with? The longer a compromised machine has been on a network the greater the chances of other machines on the network being affected are.


 * The type of network you run. If all machines on your network have unrestricted access to and from the compromised machine, the chances of a network-wide security breach increase dramatically. On the other hand, if you restrict access between machines either by using desktop firewall products or by means of username/password authentication the risk falls.


 * The presence (or abscence) of anti-virus and desktop firewall software. If each machine runs properly maintained, independant anti-virus and desktop firewall software the risk of a network-wide security breach falls sharply.


 * Can you verify the files installed on the PC's have not been tampered with? This can be done if you have a database of file signatures which you know predates the attack. See 'Attack Mitigation' for details on how this works. If you can verify that the system has not been tampered with in this way, it's reasonable to assume it's clean.

If you are in any doubt as to whether or not a machine has been compromised, assume it has and treat it accordingly. Remember, one compromised machine can easily re-infect all the others on the network.

Step 3 : Begin the cleanup
Locate the original software distribution disks for your operating system, any drivers you need for your system and any licence information you'll need during the installation. You will be performing a clean install on the affected machines, so you will loose any data stored on them unless you have backups. If you haven't got recent backups, follow the procedure below :


 * Start up the compromised machine without connecting to any network.
 * Copy any data files you wish to keep to floppy disks or cd-r media, if at all possible in non-executable form (eg. save word files as rich text since it can't contain macro viruses). DO NOT COPY PROGRAM FILES!
 * Lable this media clearly as potentially infected and store it safely.

You are now ready to begin rebuilding your machine. To be absolutely sure that your system does not remain compromised, follow the steps below before installing your operating system.


 * Restart your PC in DOS mode (NT/Win2k users should boot from the cd-rom or setup disks)
 * Use the FDISK command to delete all partitions on the disk (NT/2k users should follow the appropriate prompts in the setup program)
 * Power cycle your PC with the setup disk in the floppy drive or CD-Rom drive as appropriate (switch off, wait 10 seconds, switch on). This applies to all versions of windows including NT and win2k (power cycle after removing the partitions, don't worry about still being in the setup utility) and ensures that any memory-resident or boot sector virus is removed.
 * Reload your operating system & required drivers from the original disks.

At this point you'll have a working system with no software installed other than the operating system & drivers. Assuming you used only original media, the system will be free of any trojan horse or virus but may not be secure.

Step 4 : Secure your system and load additional software
You now need to obtain and apply the latest security patches for your operating system. Ideally you should download these from their source using another machine and apply them from disk. If that is not possible, connect your rebuilt system to the internet for the minimum period possible to obtain the patches you need. Apply them at once. ''You should be aware that this opens your system to potential compromise while you are downloading the patches so keep the connection as short as possible. Windows 98,ME and 2000 users can use the 'Windows Update' function to automatically update their systems.''

Once your system is updated, you can begin installing additional software. Be sure only to use software you know has not been tampered with, ideally from original distribution media. If necessary, download a fresh copy from the source and use that. Install software in a logical order, beginning with security-related products (anti-virus, firewall etc.).

Step 5 : Finishing off
Once you've installed and configured all your software you are ready to begin restoring the data from backups. Before doing so, you may wish to make an image copy of your system using a utility such as norton's ghost. This will allow you to quickly restore the machine to a known clean state in the event of future compromise. If you do this, store the image on non-volatile media such as CD-Rom. You may also wish to take a 'fingerprint' of the files installed on your machine to enable comparison in future. See 'Attack Mitigation' for details on this.

When you eventually restore the data, do so gradually especially if you copied the files from an infected machine. Virus scan each one first and discard any with unexpected macros.

That's it, your machine is now rebuilt and ready to reconnect to the network and the internet. It's been a lot of work but you now know for sure that your machine is virus-free and reasonably secure against attack in future.

Attack Mitigation
There are a number of steps you can take to limit the damage done by a system compromise. Not all apply to all systems and some require additional software but they can make you life considerably easier if you are unfortunate enough to be hacked.

File Signatures
Keeping a database of file signatures can help you pinpoint any files which change unexpectedly. This is often one of the first signs of a security breach. You can get free file signature checkers from a number of sources, we suggest WinTerrogate (all versions of windows, basic but effective) from http://winfingerprint.sourceforge.net or LANGuard File Integrity Checker (NT/2000 only, more advanced) from http://www.gfi.com/languard

Image Files
Taking an image of your disk regularly can dramatically reduce the amount of work involved in recovering from a security breach. The best known tool for doing this is Norton's GHOST although there are other options. You should keep two or three images files on non-volatile media and update them regularly.

Keep the data on a seperate partiton
Keeping your data on a seperate partition (ideally on a seperate disk) will reduce the amount of work needing done if you have to rebuild the system. It also makes backing up much easier and can improve overall system perfomance.

CERT - Steps for Recovering from a Unix or NT System Compromise
This is a technical document, aimed at those running networks in a business environment but much of the information applies to any system compromise situation.

(View)

CERT - Securing your Home Network
A less techinal guide to improving security on your home network. Especially valuable for those with Cable Modems or ADSL.

(View)

Other

 * WinTerrogate File Signature Checker
 * LANGuard File Integrity Checker
 * Norton Ghost