Have I Been Hacked

Posted on 2014-10-18
Medium Priority
Last Modified: 2014-10-22
I look after SMB network.

yesterday all users were complaining of very slow internet connection (it's already slow at 5Mbps). In fact browser pages were timing out so we suspected loss of internet. On checking the router it showed as connected and our service provider was able to confirm connection and also told use there was traffic both ways, yet no user was able to access the internet - emails were queuing too.

This sent panic through management who concluded that the system had been hacked and that all files were being "stolen".

Is it possible to check retrospectively what that traffic may have been. Our router is a Zyxel P600 which doesn't log anything. We have an SBS 2008 server that acts as DNS. Trend Micro Security AV and firewall

Question by:Gordon710
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 13

Expert Comment

ID: 40388652
A good tool to investigate if this is the case is Wireshark and with the use of Port Mirroring it can tell you what packets are being passed through the switch/router on your network.

You could also check the logs on your switch or router to see if any unusal activities appeared yesterday from an unknown IP.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40388662
Disconnect the suspect machine, and get a professional security firm to investigate. There isn't much you can do yourself being untrained. If it's still going on, setup a span port, or mirror port, and get wireshark to capture the data from that machine. A span/mirror port is a way to send all traffic in/out of one port to another for analysis, it does not affect the connection and is unseen by the machine you are investigating.
Security firms you may want to contact:
Mandiant https://www.mandiant.com/services/forensics-support/
Criowdsource http://services.crowdstrike.com/contact/index.html
Maybe find someone more local to you.
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40388687
you can not see the past over network speacially traffic base, if you don't have any log system in your network. ifsuspected machine in windows you may try to find last file accessed log. you can try to guess them which is read by nearest time.

usually security firm can find just what i told for past. Mostly they will recommend prevention systems for future.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40388698
the key thing know is to isolate and make sure the backdoor is closed as the adversary can have another wave back
- change the login credential (esp the privileged accounts),
- check the exploited server running the critical services including the dump server which store the "stolen" artefact.

Gather whatever security log from the endpoint, network and server HIPS like the Trend Micro suite - likely the alert may be of existence if it is a known signature else it has bypassed these s/w. But see if there are triggers of
- unintended and unauthorized disclosure of information
- unauthorized use of a system to process, store, or transmit data
- changes to system hardware, firmware, or software characteristics without the knowledge or consent of you or of the asset owner
- unusual  system resource usage lifecycle, status and errors reported by systems and hardware devices, file system warnings (low freespace, too many open files, file exceeding allocated size)
- presence of new services and device, actions requiring special privileges

Other log can include applications- and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server logs, modem logs, firewall logs, SNMP logs, DNS logs, intrusion detection system logs, database management system logs.

Some anomalous activities to watch on the wire can include
- some exfiltration traffic to get out this "loot" so look for odd hours or connections made at unusual times,
- unusual high outbound port, surge in traffic payload,
- unexpected changes in network performance such as variations in traffic load at specified times and it can be hogging transaction eating the bandwidth,
- brute force attempts which can include attempts (either failed or successful) to gain unauthorized access to a system or its data, and repeated, failed connection attempts
- beacons to certain "country" that has no dealing with the businesses, or traffic coming from or going to unexpected locations
- non legit attempts such as remote access or IRC attempts, unwanted disruption or denial of service, unauthorized scans and probes
- non-standard or malformed packets (protocol violations) that can also include
multiple secure shortlived channel that can be non SSL standard based

Likewise, to prevent aftereffect spreading
- stop any use of USB drive or external drive to check and scan them for any malware as it may also attempt to infect the drive if plugged into the infected machine.
- check on the unauthorised s/w such as remote access tool (RAT), psexec, etc and the key is find any hacking or equivalent tools that is beyond the normal administrative toolkit that the business is using for maintenance or upgrading or daily routine.

Pls do keep the customer informed when the threat is remediated and focus to form the team to handle the external and internal comms - note if there are any legal notification period mandatory to adhere and alert as well.

Expert Comment

by:Jason Johanknecht
ID: 40388771
Test for poweliks virus using Roguekiller (Or Roguekiller64), as I have seen this same issue recenlty.  Combofix is the fastest way to clean the system if Roguekiller detects over and over but never successfully cleans.
LVL 64

Expert Comment

ID: 40389493
You can try the TDSSKiller and MalwareBytes Anti-Rootkit but importantly it is to isolated the affected, find the IOC (indicato rof compromise) and assess the damage for recovery concurrent. the security firms suggested by Richrumble is also good and I like to add on CO3 too (https://www.co3sys.com/emergency-response). Mandiant also has couple of handy IOC toolkit too such as IOCfinder (http://www.mandiant.com/resources/download/ioc-finder/) and has Redline & OpenIOC to Build Effective Indicators (https://www.mandiant.com/blog/redline-openioc-build-effective-indicators/) - overall to help in dissecting the cyber kill chain

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question