Have I Been Hacked

Posted on 2014-10-18
Last Modified: 2014-10-22
I look after SMB network.

yesterday all users were complaining of very slow internet connection (it's already slow at 5Mbps). In fact browser pages were timing out so we suspected loss of internet. On checking the router it showed as connected and our service provider was able to confirm connection and also told use there was traffic both ways, yet no user was able to access the internet - emails were queuing too.

This sent panic through management who concluded that the system had been hacked and that all files were being "stolen".

Is it possible to check retrospectively what that traffic may have been. Our router is a Zyxel P600 which doesn't log anything. We have an SBS 2008 server that acts as DNS. Trend Micro Security AV and firewall

Question by:Gordon710
LVL 13

Expert Comment

ID: 40388652
A good tool to investigate if this is the case is Wireshark and with the use of Port Mirroring it can tell you what packets are being passed through the switch/router on your network.
You could also check the logs on your switch or router to see if any unusal activities appeared yesterday from an unknown IP.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40388662
Disconnect the suspect machine, and get a professional security firm to investigate. There isn't much you can do yourself being untrained. If it's still going on, setup a span port, or mirror port, and get wireshark to capture the data from that machine. A span/mirror port is a way to send all traffic in/out of one port to another for analysis, it does not affect the connection and is unseen by the machine you are investigating.
Security firms you may want to contact:
Maybe find someone more local to you.
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40388687
you can not see the past over network speacially traffic base, if you don't have any log system in your network. ifsuspected machine in windows you may try to find last file accessed log. you can try to guess them which is read by nearest time.

usually security firm can find just what i told for past. Mostly they will recommend prevention systems for future.
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

LVL 61

Accepted Solution

btan earned 500 total points
ID: 40388698
the key thing know is to isolate and make sure the backdoor is closed as the adversary can have another wave back
- change the login credential (esp the privileged accounts),
- check the exploited server running the critical services including the dump server which store the "stolen" artefact.

Gather whatever security log from the endpoint, network and server HIPS like the Trend Micro suite - likely the alert may be of existence if it is a known signature else it has bypassed these s/w. But see if there are triggers of
- unintended and unauthorized disclosure of information
- unauthorized use of a system to process, store, or transmit data
- changes to system hardware, firmware, or software characteristics without the knowledge or consent of you or of the asset owner
- unusual  system resource usage lifecycle, status and errors reported by systems and hardware devices, file system warnings (low freespace, too many open files, file exceeding allocated size)
- presence of new services and device, actions requiring special privileges

Other log can include applications- and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server logs, modem logs, firewall logs, SNMP logs, DNS logs, intrusion detection system logs, database management system logs.

Some anomalous activities to watch on the wire can include
- some exfiltration traffic to get out this "loot" so look for odd hours or connections made at unusual times,
- unusual high outbound port, surge in traffic payload,
- unexpected changes in network performance such as variations in traffic load at specified times and it can be hogging transaction eating the bandwidth,
- brute force attempts which can include attempts (either failed or successful) to gain unauthorized access to a system or its data, and repeated, failed connection attempts
- beacons to certain "country" that has no dealing with the businesses, or traffic coming from or going to unexpected locations
- non legit attempts such as remote access or IRC attempts, unwanted disruption or denial of service, unauthorized scans and probes
- non-standard or malformed packets (protocol violations) that can also include
multiple secure shortlived channel that can be non SSL standard based

Likewise, to prevent aftereffect spreading
- stop any use of USB drive or external drive to check and scan them for any malware as it may also attempt to infect the drive if plugged into the infected machine.
- check on the unauthorised s/w such as remote access tool (RAT), psexec, etc and the key is find any hacking or equivalent tools that is beyond the normal administrative toolkit that the business is using for maintenance or upgrading or daily routine.

Pls do keep the customer informed when the threat is remediated and focus to form the team to handle the external and internal comms - note if there are any legal notification period mandatory to adhere and alert as well.

Expert Comment

ID: 40388771
Test for poweliks virus using Roguekiller (Or Roguekiller64), as I have seen this same issue recenlty.  Combofix is the fastest way to clean the system if Roguekiller detects over and over but never successfully cleans.
LVL 61

Expert Comment

ID: 40389493
You can try the TDSSKiller and MalwareBytes Anti-Rootkit but importantly it is to isolated the affected, find the IOC (indicato rof compromise) and assess the damage for recovery concurrent. the security firms suggested by Richrumble is also good and I like to add on CO3 too ( Mandiant also has couple of handy IOC toolkit too such as IOCfinder ( and has Redline & OpenIOC to Build Effective Indicators ( - overall to help in dissecting the cyber kill chain

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now