Have I Been Hacked
I look after SMB network.
yesterday all users were complaining of very slow internet connection (it's already slow at 5Mbps). In fact browser pages were timing out so we suspected loss of internet. On checking the router it showed as connected and our service provider was able to confirm connection and also told use there was traffic both ways, yet no user was able to access the internet - emails were queuing too.
This sent panic through management who concluded that the system had been hacked and that all files were being "stolen".
Is it possible to check retrospectively what that traffic may have been. Our router is a Zyxel P600 which doesn't log anything. We have an SBS 2008 server that acts as DNS. Trend Micro Security AV and firewall
Gordon
yesterday all users were complaining of very slow internet connection (it's already slow at 5Mbps). In fact browser pages were timing out so we suspected loss of internet. On checking the router it showed as connected and our service provider was able to confirm connection and also told use there was traffic both ways, yet no user was able to access the internet - emails were queuing too.
This sent panic through management who concluded that the system had been hacked and that all files were being "stolen".
Is it possible to check retrospectively what that traffic may have been. Our router is a Zyxel P600 which doesn't log anything. We have an SBS 2008 server that acts as DNS. Trend Micro Security AV and firewall
Gordon
Disconnect the suspect machine, and get a professional security firm to investigate. There isn't much you can do yourself being untrained. If it's still going on, setup a span port, or mirror port, and get wireshark to capture the data from that machine. A span/mirror port is a way to send all traffic in/out of one port to another for analysis, it does not affect the connection and is unseen by the machine you are investigating.
Security firms you may want to contact:
Mandiant https://www.mandiant.com/services/forensics-support/
Criowdsource http://services.crowdstrike.com/contact/index.html
Maybe find someone more local to you.
-rich
Security firms you may want to contact:
Mandiant https://www.mandiant.com/services/forensics-support/
Criowdsource http://services.crowdstrike.com/contact/index.html
Maybe find someone more local to you.
-rich
you can not see the past over network speacially traffic base, if you don't have any log system in your network. ifsuspected machine in windows you may try to find last file accessed log. you can try to guess them which is read by nearest time.
usually security firm can find just what i told for past. Mostly they will recommend prevention systems for future.
usually security firm can find just what i told for past. Mostly they will recommend prevention systems for future.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Test for poweliks virus using Roguekiller (Or Roguekiller64), as I have seen this same issue recenlty. Combofix is the fastest way to clean the system if Roguekiller detects over and over but never successfully cleans.
You can try the TDSSKiller and MalwareBytes Anti-Rootkit but importantly it is to isolated the affected, find the IOC (indicato rof compromise) and assess the damage for recovery concurrent. the security firms suggested by Richrumble is also good and I like to add on CO3 too (https://www.co3sys.com/emergency-response). Mandiant also has couple of handy IOC toolkit too such as IOCfinder (http://www.mandiant.com/resources/download/ioc-finder/) and has Redline & OpenIOC to Build Effective Indicators (https://www.mandiant.com/blog/redline-openioc-build-effective-indicators/) - overall to help in dissecting the cyber kill chain
http://wiki.wireshark.org/CaptureSetup/Ethernet
You could also check the logs on your switch or router to see if any unusal activities appeared yesterday from an unknown IP.