Some hacking tools can block Netstat from displaying open ports on a computer. If Netstat shows no suspicious open ports but you still suspect that some exist, run a port scanner tool such as the Network Mapper (nmap) open-source utility--which you can download at http://www.insecure.org/nmap--from another computer to see which ports are open on the target computer.
Rogue users in AD. When an intruder compromises a system, he or she will sometimes create one or more rogue users in Active Directory (AD). Often, intruders create these user accounts with a blank description. To combat this tactic, I suggest you add a description (following a specific naming convention) for every authorized user in AD. Then, you can sort your users by description, and all users without a description will appear at the top of the list.
Unauthorized users in privileged groups. One primary hacking goal is privilege escalation. Check the privileged groups in AD (e.g., Administrators, Domain Admins, Enterprise Admins, Server Operators) for unauthorized group membership. Make sure that you limit membership in these groups to make identifying unauthorized users easier.
Stop the Bleeding: A Hack Recovery Plan
If you discover that one of your systems has been hacked, don't panic. You need to keep your cool and proceed in a logical fashion. The following plan of action can help you limit the damage.
1.Isolate the network. Shut down all external interfaces on your network, including Internet, WAN, VPN, and dial-up connections, and disconnect all lines from routers, wireless Access Points (APs), and any other devices that connect your network to the outside world. This action can stop an active attack and prevent the intruder from compromising other systems.
2.Perform a wireless sweep. Use a wireless sniffer such as Airscanner Mobile Sniffer or NetStumbler.com's NetStumbler to locate any rogue APs in the area. Be sure to install the sniffer on a card that supports all current wireless standards (i.e., 802.11a, 802.11b, and 802.11g).
3.Check for other compromised machines. Use the techniques in this article to discover whether you have additional hacked machines.
4.Review firewall configuration. Look for any unauthorized rules, unauthorized open ports to the outside world, and unauthorized Network Address Translation (NAT) rules. Examine the firewall logs for any suspicious activity. I recommend that you always restrict outbound traffic to only necessary outbound ports and make sure that only authorized computers can send outgoing mail through the firewall.
5.Inspect AD. Look for any unauthorized user accounts and disable any you find.
6.Change passwords for every account on the network. For accounts with escalated privileges, I suggest you create a password (or pass phrase) of at least 15 characters. Passwords of this length are harder to crack because LAN Manager (LM) password hashes aren't stored on the server for passwords longer than 14 characters.
7.Replace hard disks on hacked computers. Replacing disks isolates and preserves the hacking activity. You can review the data on the old disks to gain valuable information about the attack.
8.Identify and address the vulnerability. Try to determine how the hacker accessed the network. This is often easier said than done (and outside the scope of this article). If you can't identify the vulnerability, consider hiring a security consultant to help.
9.Rebuild the compromised machine. It's almost impossible to completely clean a hacked computer. If one or more hacking tools remain on the machine, the intruder can regain access to the machine. The only way to ensure a clean computer is to format the hard disk and rebuild the machine from scratch, making sure you don't restore any previously installed hacking tools. You should reinstall all programs from CD-ROM, manually install any patches, and restore only data files. Never restore the registry, OS, or any programs from tape.
10.Run full virus scans on all machines. Be aware that antivirus software can sometimes identify hacking tools as legitimate programs. If a machine scans clean but you still suspect that it's been hacked, I recommend you rebuild the machine from scratch.
11.Reconnect the WAN lines. Reconnect and carefully monitor WAN lines to make sure you've closed holes on your network. Watch for heavy bandwidth usage on the network, closely monitor the firewall logs, and enable security auditing on all servers.
12.Perform forensic analysis on hacked hard disks. Install the hacked hard disks on a standalone computer and examine them to gain more information about the hack. Although intruders often spoof their IP addresses, the IP address is a good place to start tracking the attack's source. You can obtain a list of IP address allocations from the Internet Assigned Numbers Authority (IANA) Web site at http://www.iana.org.
13.Notify authorities. The FBI runs the Internet Fraud Complaint Center (IFCC--http://www.ifccfbi.gov/index.asp) for reporting suspicious Internet activity, and most FBI field offices have Cyber Action Teams (CATs). No one likes to admit to having been been hacked, but notifying the proper authorities can prevent a hacker from doing more damage. To contact your local FBI office, go to http://www.fbi.gov/contact/fo/fo.htm.
You can use these steps to design a customized hacking recovery plan. Tailor the steps to your organization, and integrate them into your company's disaster recovery plan.
Learning By Example
In my consulting practice, I come across many situations in which organizations have experienced attacks against their networks. Learning from others' experiences can help you detect vulnerabilities in your networks and help you recover from similar attacks. So, let's look at some real-life hacking scenarios.
IIS Attack in the DMZ
One of my clients called me, saying that users couldn't access certain folders on a Win2K Server system. When I discovered that all rights had been removed from the folders, I suspected that someone had compromised the system.
Register
