How do I know when I’ve been hacked?
First, let’s define “being hacked”. A hack is when someone unauthorized gains access to your system. The malicious intent of this someone can vary from a student pulling a prank to hacker trying to find and steal your most valuable data. The most common hack is somewhere in between, when a malicious hacker accesses your system but has little regard for who you are or what data you store. They just want to use your system to further their attacks, such as spam or scams.
In short, you know you’ve been hacked when your system does something it shouldn’t. Hacked email accounts or servers will send out thousands of spam messages at once. Other servers and networking devices can be used in a wide variety of ways depending on what they do. For whatever you have, it is best to ask your IT professional how it should and shouldn’t run. Desktop and laptop computers rarely get hacked in this sense, but rather get infected. The difference is that a hacker does not connect to your desktop or laptop, rather, an virus simply sends any information back home.
Hacked websites and webservers can be used in so many ways, it could be an entire article! For one, they may redirect users to other, malicious sites or host viruses. They may appear to work normally, but capture user data as it’s entered. They may also look normal, but include hundreds of thousand of hidden links. This is likely not intended for the viewer, but is a type of black hat SEO, done just for Google. The core website may not even be touched, but a separate series of pages may be uploaded on your domain that are used for phishing and scams. If the webserver is connected to an mail server, the hacker may just use it like a hacked mail server. In the worst case, a hacker will try to steal data from your database. This last one is not only the most destructive, it is the toughest to spot.
Getting the hacker out of your system
If your system looks like it’s been hacked, your first priority is to stop the attack. The most obvious way to do this is also the most effect, simply disconnect the system! However, sometimes this is not a good option. If it is critical you keep your system online, then you must continue with the next steps extremely quickly.
Now, you must determine how the hacker was or is accessing your system. Again, this will vary by type of system, but a few general guidelines will go a long way. First, look for malware. Malware can create an easy backdoor for attackers to go through. On Linux servers, web servers, and websites, we recommend ClamAV. It works on Linux, Windows, is open source, and in addition to finding malware, it find a good percentage of malicious web files. Windows has the largest range of malware, and sometimes takes multiple tools to clean.
After looking at malware, you can check the logs for account usage. If possible, coordinate with authorized users and try to determine if an account was being used without the user’s knowledge. Also look for anything out of the ordinary, such as excessive uploads, emails, etc. If a user account was compromised, you need to reset that user’s password. Also, following a hack, it is best to reset all associated administrators’ passwords.
Forensics: Finding the vector
After getting the hacker out of your system, you need to figure out how they got in. This is much more critical than it may sound, since the attacker may regain access to your system very quickly in the same way. The best place to look will always be the log files. Try to answer the following questions:
- When was the first time the hacker access the system?
- How or where did the attacker first access the system?
- In this first connection, how was the hacker authenticated?
Look for important updates and known exploits to your current software version. Especially if the answer to how the hacker was authenticated is unclear, old versions or missing patches may be exactly how the hacker got in.
Forensics: What was lost
The next question is ask is whether your system has any sensitive information on it. This can include social security numbers and other personally identifiable information, credit card numbers, and login credentials. Ask:
- What files and databases were compromised?
- Do any of those files or databases hold additional login information or credentials?
- Are the compromised passwords and credentials used anywhere else?
Finally, you need to take action for all information lost. Passwords should be changed. You may want to notify clients if their information was lost, and in some cases you will also be legally required too. You may also be required to notify a government agency. It is best to check federal and local laws on any information lost, and of course to check with your attorney.
If you are having an emergency
If a hacker is in your system, you may need to respond more quickly than you can on your own. That’s why we’re here! GGNet is experienced in dealing with hackers, and can respond quickly with a plan of action. Call us now or fill in the emergency form in the top-right corner, and we will give you a free 15 minute consultation to get your priorities in order.