Have I Been Hacked

I look after SMB network.

yesterday all users were complaining of very slow internet connection (it's already slow at 5Mbps). In fact browser pages were timing out so we suspected loss of internet. On checking the router it showed as connected and our service provider was able to confirm connection and also told use there was traffic both ways, yet no user was able to access the internet - emails were queuing too.

This sent panic through management who concluded that the system had been hacked and that all files were being "stolen".

Is it possible to check retrospectively what that traffic may have been. Our router is a Zyxel P600 which doesn't log anything. We have an SBS 2008 server that acts as DNS. Trend Micro Security AV and firewall

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A good tool to investigate if this is the case is Wireshark and with the use of Port Mirroring it can tell you what packets are being passed through the switch/router on your network.

You could also check the logs on your switch or router to see if any unusal activities appeared yesterday from an unknown IP.
Rich RumbleSecurity SamuraiCommented:
Disconnect the suspect machine, and get a professional security firm to investigate. There isn't much you can do yourself being untrained. If it's still going on, setup a span port, or mirror port, and get wireshark to capture the data from that machine. A span/mirror port is a way to send all traffic in/out of one port to another for analysis, it does not affect the connection and is unseen by the machine you are investigating.
Security firms you may want to contact:
Mandiant https://www.mandiant.com/services/forensics-support/
Criowdsource http://services.crowdstrike.com/contact/index.html
Maybe find someone more local to you.
Faruk Onder YerliOwnerCommented:
you can not see the past over network speacially traffic base, if you don't have any log system in your network. ifsuspected machine in windows you may try to find last file accessed log. you can try to guess them which is read by nearest time.

usually security firm can find just what i told for past. Mostly they will recommend prevention systems for future.
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

btanExec ConsultantCommented:
the key thing know is to isolate and make sure the backdoor is closed as the adversary can have another wave back
- change the login credential (esp the privileged accounts),
- check the exploited server running the critical services including the dump server which store the "stolen" artefact.

Gather whatever security log from the endpoint, network and server HIPS like the Trend Micro suite - likely the alert may be of existence if it is a known signature else it has bypassed these s/w. But see if there are triggers of
- unintended and unauthorized disclosure of information
- unauthorized use of a system to process, store, or transmit data
- changes to system hardware, firmware, or software characteristics without the knowledge or consent of you or of the asset owner
- unusual  system resource usage lifecycle, status and errors reported by systems and hardware devices, file system warnings (low freespace, too many open files, file exceeding allocated size)
- presence of new services and device, actions requiring special privileges

Other log can include applications- and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server logs, modem logs, firewall logs, SNMP logs, DNS logs, intrusion detection system logs, database management system logs.

Some anomalous activities to watch on the wire can include
- some exfiltration traffic to get out this "loot" so look for odd hours or connections made at unusual times,
- unusual high outbound port, surge in traffic payload,
- unexpected changes in network performance such as variations in traffic load at specified times and it can be hogging transaction eating the bandwidth,
- brute force attempts which can include attempts (either failed or successful) to gain unauthorized access to a system or its data, and repeated, failed connection attempts
- beacons to certain "country" that has no dealing with the businesses, or traffic coming from or going to unexpected locations
- non legit attempts such as remote access or IRC attempts, unwanted disruption or denial of service, unauthorized scans and probes
- non-standard or malformed packets (protocol violations) that can also include
multiple secure shortlived channel that can be non SSL standard based

Likewise, to prevent aftereffect spreading
- stop any use of USB drive or external drive to check and scan them for any malware as it may also attempt to infect the drive if plugged into the infected machine.
- check on the unauthorised s/w such as remote access tool (RAT), psexec, etc and the key is find any hacking or equivalent tools that is beyond the normal administrative toolkit that the business is using for maintenance or upgrading or daily routine.

Pls do keep the customer informed when the threat is remediated and focus to form the team to handle the external and internal comms - note if there are any legal notification period mandatory to adhere and alert as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason JohanknechtIT ManagerCommented:
Test for poweliks virus using Roguekiller (Or Roguekiller64), as I have seen this same issue recenlty.  Combofix is the fastest way to clean the system if Roguekiller detects over and over but never successfully cleans.
btanExec ConsultantCommented:
You can try the TDSSKiller and MalwareBytes Anti-Rootkit but importantly it is to isolated the affected, find the IOC (indicato rof compromise) and assess the damage for recovery concurrent. the security firms suggested by Richrumble is also good and I like to add on CO3 too (https://www.co3sys.com/emergency-response). Mandiant also has couple of handy IOC toolkit too such as IOCfinder (http://www.mandiant.com/resources/download/ioc-finder/) and has Redline & OpenIOC to Build Effective Indicators (https://www.mandiant.com/blog/redline-openioc-build-effective-indicators/) - overall to help in dissecting the cyber kill chain
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.