"Help! I've been Hacked!"
Some tips on getting a hacker out of your system and keeping him out
This section is by popular request. I have received hundreds of emails (really!) from people that have been hacked. To keep from having to answer hundreds more emails I have created this little page.
Protecting your network small or large
This site is aimed to help those trying to protect themselves from the "bad boys" of the net. With the advent of Cable and DSL connections this means lots of individual computers and small at home networks have joined the ranks of the exposed. If you only connect via a modem you are still in danger, you just have a lower profile.
Since you have found this place you have a chance, it means that you are trying to learn more. Knowledge is the key to your survival. Knowing who is trying to do you harm and what to do to stop them. Way too many sysops put in a firewall and go "Ok I am safe now!" WRONG, WRONG, WRONG !!!
If you want a secure system you have to stay current. Keep patched up! Find out what exploits exist for you system and fix them. Trust me the hackers know all the latest exploits before you do. The thing is you can find out the same way they do, and only a little latter than they do. Just visit the sites devoted to such things. Anti-online, Rootshell, Lopt, 2600, CERT, etc. Visit both the anti-hack and hacker sites, this way you get a much better picture of what is going on. Unless you are very well versed in the language of hacking, and are a real good actor I would not recommend going onto any of the #hacker IRC channels trolling for information. The will pick up on you right away, and you will now have lots of pissed off hackers coming after you. Not exactly what you wanted. hehe
Most of the anti and pro hacking sites have file archives that have information and code for many of the hacks. Hacking into your own site is the best, and pretty much only way to find out just how safe you are. I will provide some links at the end of all this to get you started. In a way it is funny, if you had evil intentions you would have know about these places already. I cannot give you step by step instructions on how to hack a site. First of all each site is a bit different, and well.. there is no need to, they exist all over the place. *sigh* The big trick always in hacking a network is figuring out just what exploit will work on which system.
The place to start is to read, read, read..... Get out your Unix manuals and read them thru. Try out the commands, you will be surprised at what UNIX will let you do. There is a great depth to the UNIX commands. Learn some pearl. Even the simple stuff will let you create some of your own tools to probe your network.
One good way to work on your skills is to practice on a machine that is inside your net. Scan it, probe it, and see what the operating system will tell you about it. This way you can probe a machine without exposing it to others.
Here are a few simple network security tips that often get overlooked.
Information
Information is like gold to the hacker. What information does your system give
out? Log into most systems ftp site or telnet socket and the OS reports what it
is and it's revision level! Telling the world that you are running Red Hat 5.01
rev 0024 or Windows NT4.0 rev 001 or whatever is not good! Now they know what
set of exploits apply and which ones will work on you!!! Get into those
configuration files and change these default messages, most OS services will let
you change them.
Users
Make a hard copy of your user list. Only one person should be able to add new
users. At least once a week check this hard copy list against the user list on
the network. The one thing most hackers do once they get inside is to give
themselves an account. They know that very few sysops check the user lists. If
you see a user that you did not add... ask yourself, "If I am the only one
who can add new users, where did this guy come from?" Answer is that he
added himself. hehe. Once you find one of these unknown users, monitor him.
(Pearl or a C++ cron task is wonderful here). Don't just delete him right away!
Monitor him first, discreetly; try to find out what he is doing, and who he
really is. Chances are he has or is setting himself up a "shell
account" on your system and is using it to hack other systems.
Key files
Do directory dumps to printer of your key directories, mostly the ones that only
root can change. Make sure to have the switches set to show dates and
permissions. Good ole hard copy again. The hacker cannot change the printout on
your desk, but he can change your files, so your hard copy is your only clue as
to what things should look like. Check these lists against the current
directories. After a while you will be able to spot unusual changes, and it is
much easier to spot anything that was added.
Remember that most hacks go unnoticed! They are in and out, logs cleaned up and all in a just a few minutes. Now they have a legit user account with root privileges. They can do what they like and you will be none the wiser.
Most people think that when they get hacked the system crashes. Far from it. The good ones come and go unseen. That is the danger, since everything is working no one is looking for anything.
A firewall is not enough. A firewall only tries to keep them out by plugging the holes. You need IDS (Intrusion Detection Systems) as well. You have to know when you are being probed and attacked. Almost all hacks require that you probe the target system first. The guy hacking you this week was probing you last week. I have a little PC network at home, hooked to the net via a cable modem. My little network is protected better than most major web sites. hehe. I have a gateway, firewall and IDS running. I get probes and attacks daily. My IDS does an immediate back trace on the probe, and that scares away most of them. hehe. You see most of the hackers have IDS systems going too. Most hackers have far better security on their home systems the mainframes they are targeting.
Three real important things to remember.
1. Always remember that the Internet was designed to freely exchange information. All of the underlying structure was built with the goal of making it easy to find and retrieve data. Now we come along and are trying to add security to it. It was not designed with security in mind, so all that security is pasted on top, so to speak. That is changing but it will be long time coming before things like TPC/IP have security built into them.
2. The more complex a system becomes the more unmanageable it becomes. Modern networks are very complex systems. The software and hardware is always changing, and every patch that fixes one bug, can cause another one to appear. It is called the "law of unintended consequences". The more complex the system, the more unintended consequences you will have.
3. Not all hacks come from outside!!! Most large high tech companies have hackers working there, they just don't know it. I have worked for a few of them, and their internal networks were, well.. let's just say I could do what I wanted, when I wanted. (don't want to get sued here.. hehe) The point is WATCH YOUR USERS!!! A lot of the probes I get are from corporate computers! Either a hacker is using them as a shell, or someone inside is hacking me. So far when I have tracked them down (and I do that a lot *grins*) it comes out about 50-50. It is much, much easier to hack a network from inside than outside.
How a hacker thinks..
I had a little crypto job a while back. I think it illustrates how a hacker approaches things a bit differently. It seems this little company I will call xyz inc. was very concerned about their proprietary data getting out. They were using a specialized commercial software suite to generate this data, and this data could be encrypted with a password. In fact xyz inc. chose this software partially because the encryption was so secure. Xyz Inc ordered all of its employs to encrypt all their work. Xyz inc. however forgets to get the passwords from the employees. Oppps. Well, finally someone quit, and did not tell anyone his passwords before he left. Now a lot of valuable data was locked up and no one had the key! This is where I came into the picture. Well I did the usual, poked around a bit with the passwords and how the data looked both encrypted and plain. Well it seems the maker of the software had been sued because previous versions had such weak encryption. The new (post lawsuit) version that Xzy Inc was running had very good encryption schemes. I realized that it would take a bunch of very fast computers running for a couple of months to break the key. Well I am a hacker that likes crypto, so if I cannot break the code I will just have to hack the software. I poke about in the code a bit more, and there it is "The fatal flaw". Almost all security systems have them. You just have to find it. Well I found this one's. I changed just one little byte in the code and saved the file. Now the password system works backwards. As long as the password is wrong it will open the file! The software will decrypt is for you! This is how a hacker thinks. Why break in when you can trick the system into letting you in? He pokes and pries, looking for a way in, if you lock one door he tries another. If there are no open doors he will assault your system in one fashion or another until he gets one open a crack. Once he gets that crack open he will get your system to work for him and against you! If you want to see just how this was done then go here.
Quick and cheap protection.
Now many of you say you cannot afford such protection, well you are wrong. There are several very good personal firewalls and IDS's available for the windows platforms. Most of these cost less than $50. For the cost of a new game you can provide yourself with a descent level of protection. Even software tools intended for other purposes such as Genuis and Nukenabber, can be used as a primitive sort of IDS.
Trojans
Trojans get their own section because they are a different kind of threat.
Trojans bypass most firewalls because you downloaded and installed it behind
your firewall. These trojans give almost complete control of your system to
someone else every time you connect to the net. Yikes!!!!
You get a trojan from something you downloaded, or from an attachment someone
sent to you. Trojans are a problem for everyone. If a trojan is activated on a
system behind the firewall the hacker can access, change or delete files, and
use that one computer to infect the other computers on the network. It matters
not if your network is just your one pc or a large corporate network, as long as
it hooks up to the net then you have a problem.
The 2 most common trojans out there right now are: NetBus and BackOrifice (BO)
The good news is that there are automated detection and removal software out there to get rid of them. Just be careful which ones you download, some are really Trojans themselves!
Here are a few links that should help you find out more about trojans and how to keep them out of your system. I have checked these out myself. I run NukeNabber, Genius2, and BOdetect on my machines behind the firewall on a regular basis. These sites have also been checked out by groups such as C-Net and labeled safe.
Here are some more specific links to help with various attacks.
NetBus - www.irchelp.org/irchelp/security/netbus.html
Back Orifice - www.antionline.com/SpecialReports/backorifice/index.html
Trojan Detect - www.spiritone.com/~cbenson/
- BOdetect - detects and removes BO and NetBus
DOS - www.raptor.nu/dos.shtml
Trojan ports - www.simovits.com/nyheter9902.html
Genius - www.sinnerz.com/genius/ Genius is a wonderful little sharewhere program. The swiss army knife for networks and the internet.
Both NukeNabber and Genius also provide a way to tell if someone is trying to access a trojan on your system or scan you for vunerable ports. Genuis will also provide a list of your current connections. This is not as good as having a firewall or Intrusion Detection System, but it is better than nothing. They will provide some insight into your PC's security.
PC FireWalls
BlackIce is a real firewall/Intrusion
detection system for the PC. It has recieved several awards and does offer real
protection for your pc.
There are others like GuardDog, but I have not had a chance to "test"
them out as well. I have run the standard stuff against a BlackIce protected
machine, and it came thru just fine. I will try to run some not so standard
stuff against it in the near future, I will let you know how it handles that.
*grins*
All three of these are great places to get information on the latest
security information and alerts.
AntiOnline
Xforce
RootShell
One more thing... Very Important!!!
NEVER OPEN AN ATTACHMENT TO MAIL FROM SOMEONE YOU DO NOT KNOW AND TRUST!!!!
This includes ICQ files transfers and pictures.
Always delete them unread.
That includes me. I will never send anything directly to someone unasked. Even when someone requests files I try to point them to a link. Safe computer "sex" is very important. I will always try to point you to a "safe" spot on the web to get your files. Watch out for those that want to send you a bunch of files to "solve" your problem. Just ask for the links. Get the files from the original web site whenever possible