I’ve been hacked — I think….

pts.
Tags:
Administration
Application security
Architecture/Design
Bigfix
Biometrics
Cisco
Citadel
Compliance
Computer Associates
configuration
Configuresoft
CRM
Cylant
Database
DataCenter
Desktop antivirus
Desktop management applications
Digital certificates
Disaster Recovery
Documentation
Ecora
Encryption
Enterasys Networks
Features/Functionality
Firewalls
Forensics
GFI
Hewlett-Packard
Host-based IDS/IPS
Identity & Access Management
IDS vs IPS
IDS/IPS management
Incident response
Installation
Instant Messaging
Internet Security Systems
Intrusion management
Juniper Networks
Managed security services
Management
Microsoft Exchange
Microsoft Windows
Network Associates
Network Elements
Network security
Network-based IDS/IPS
NFR Security
Outsourcing
Outsourcing/Managed services
patching
Patchlink
PEN testing
Platform Security
Policies
Product evaluation
Product/Service evaluation
provisioning
Redundancy
Risk management
Sana Security
Secure Coding
Security
Security Program Management
Security tokens
Service and support
Service contracts
Service evaluation
Shavlink Technologies
Single sign-on
Snort/Sourcefire
St. Bernard Software
StillSecure
Symantec
Tripwire
Vendors
VPN
VSecure
Vulnerability Assessment & Audit
vulnerability management
Wireless
I'm an IT administrator with a little over 500 end users, running Windows 2000 and XP. One of our users is experiencing a problem with her Internet connection suddenly dropping for no apparent reason. When she restarts her computer, everything works fine for awhile, but then the connection drops again. The funny thing is, she's noticed that her AOL Instant Messenger service still works even when she can't access her e-mail. We've already run Netstat and noticed that more unknown open connections are being used to certain ports. This particular user has a laptop and works from home frequently, so we're not sure all updates have been installed. Has her computer been hacked? If so, what can I do initially to contain the damage, and what steps can I take to prevent such occurrences in the future?

Answer Wiki

Thanks. We'll let you know when a new response is added.

You have not said where you have run any spyware software, if you have not, then download MS anti spy ware beta or spybot and check to see if there have been any spyware/trojons left on you users machine, then at least you know from a spyware point of view that the machine is clean.

Rgds

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • DrillO
    Good morning.... The best you can do is install anti-spyware as suggested and start your cleanup there. There are many other places to go, but that would be a start. The largest part of all of this is prevention. The standard setup for machines attaching to the network should be a good anti virus solution and a good anti spyware solution. Yes, I know that you cannot beat everything, but you must excercise caution. It is also important to manage and maintain updates. If this is a personal machine, then you should insist that these things are taken care of if they want to plug in to your network. If it is a corporate or company owned machine, then you must be sure that the machine is surrendered regularly for maintenance. Good luck Paul
    15 pointsBadges:
    report
  • Jpagel
    My personnal suggestion would for you to go get the Microsoft AntiSpyware from www.microsoft.com in another 100 or so days they will have a full blown version that Microsoft is giving out for free to all their customers. I would also go download from www.downloads.com, Ad-Aware, Spybot Search & Destroy, & SpywareBlaster. Make sure you update all of them before running. If there is an Antivirus on the machine, I would make sure it is up to date, and run a full system scan on it in safe mode with system restore turned off (alone with all your other anti-spyware scans) because Viruses and Spyware have a tendancy to keep themselves in the System Volume Information & system restore thus allowing them to come back easily due to the fact that a lot of scans do not scan there by default because system restore basically "locks" the folder. If you do not have an AntiVirus i would suggest Computer Associates EZArmor, it is their AV/Firewall Combo, it is a very "lite" program as far as not using much memory and space (compared to using Norton or McAfee), there is updates out for the AV everyday, and if there is a new version out you have full access to download and install it (for the first year), Also the firewall is very easy configurable and the whole suite is very easy to us. Make sure that your Windows Operating system is up-to-date, if the machine is XP make sure SP2 is installed. All this can be access from www.windowsupdate.com I doubt you have been hacked, make sure you check your 'hosts' files on your machine, but most likely the dropping off of the network is due to spyware/virus... Thank you, please post back results and further questions and information
    0 pointsBadges:
    report
  • Marcjacquard
    First of all, until you know what the issue is, do not allow this machine to plug into the corporate network. You have no idea what is running and what the damage could be. Second, you need to decide if you are going to spend the time necessary to debug and fix the machine or just rebuild it and start over. Once you have fixed the machine, install A/V, anti-spyware, and a good desktop firewall. Anything not from Computer Associates is a good choice. Reviews on security products indicate they score the lowest on almost all points. Also, AOL messenger has the potential for bringing things into the network. You should rethink the use of this product on company owned equipment.
    0 pointsBadges:
    report
  • Jpagel
    As far as AV, CA is my personall suggestion I use them at work and home and have found viruses on machines that had Norton and McAfee wouldn't find, there are Pros to them after far as Virus detection and cons, in the aspect of there Phone Tech support blows chunks because they charge, but I have emailed them before with an issue w/ their EZArmor and they replied that day with a fix that worked free of charge, also they have to quarentine folder...They have some low reviews as far as Tech Support and quarentine, but their virus detection in my eyes in wonderfull and has been reveiwed to be very good, the only other suggestion that i could see as being used would be Trend Micro, I personally would not suggest Norton & McAfee, they are wayyy over rated, Panda is an excellent product, but quite expensive...
    0 pointsBadges:
    report
  • TedRizzi
    First off, update the patches. second install anti spyware, antivirus and a firewall. I would recommend PestPatrol, and CA's EZarmor. Those steps should clean and lock down the system. You may need to do a repair install in IE, or even remove it and re-install it. there is no telling what damage has been already done.
    0 pointsBadges:
    report
  • Bobkberg
    Good replies all - although the suggestion above about "anything not from CA" is a little wide-open... :-) To take another tack though, go to foundstone.com (or whoever owns them this week), and look for their free tools. Get one called Vision - this is a GUI app that will not only show you the open ports like netstat does, it will show you what program opened them. This is often helpful in doing forensics. As long as you're there, download the entire toolkit - lots of usefull things there. Bob
    1,070 pointsBadges:
    report
  • JOHNxxJOHN
    fist messangers are things that if you dont use them you should get rid of them cuz hackers will use them to send viruses and other worms to get into the computer they do it by craming packets into open ports and any messanger allow and has to have a port open for it you should close the port and delete the messanger and then do virus and spyware scans while disconnected from the internet cuz if your connected to the internet he might be watching you do it and make sure it doesnt work right
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following