Have I Been Hacked

Posted on 2014-10-18
Last Modified: 2014-10-22
I look after SMB network.

yesterday all users were complaining of very slow internet connection (it's already slow at 5Mbps). In fact browser pages were timing out so we suspected loss of internet. On checking the router it showed as connected and our service provider was able to confirm connection and also told use there was traffic both ways, yet no user was able to access the internet - emails were queuing too.

This sent panic through management who concluded that the system had been hacked and that all files were being "stolen".

Is it possible to check retrospectively what that traffic may have been. Our router is a Zyxel P600 which doesn't log anything. We have an SBS 2008 server that acts as DNS. Trend Micro Security AV and firewall

Question by:Gordon710
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 13

Expert Comment

ID: 40388652
A good tool to investigate if this is the case is Wireshark and with the use of Port Mirroring it can tell you what packets are being passed through the switch/router on your network.
You could also check the logs on your switch or router to see if any unusal activities appeared yesterday from an unknown IP.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40388662
Disconnect the suspect machine, and get a professional security firm to investigate. There isn't much you can do yourself being untrained. If it's still going on, setup a span port, or mirror port, and get wireshark to capture the data from that machine. A span/mirror port is a way to send all traffic in/out of one port to another for analysis, it does not affect the connection and is unseen by the machine you are investigating.
Security firms you may want to contact:
Maybe find someone more local to you.
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 40388687
you can not see the past over network speacially traffic base, if you don't have any log system in your network. ifsuspected machine in windows you may try to find last file accessed log. you can try to guess them which is read by nearest time.

usually security firm can find just what i told for past. Mostly they will recommend prevention systems for future.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 64

Accepted Solution

btan earned 500 total points
ID: 40388698
the key thing know is to isolate and make sure the backdoor is closed as the adversary can have another wave back
- change the login credential (esp the privileged accounts),
- check the exploited server running the critical services including the dump server which store the "stolen" artefact.

Gather whatever security log from the endpoint, network and server HIPS like the Trend Micro suite - likely the alert may be of existence if it is a known signature else it has bypassed these s/w. But see if there are triggers of
- unintended and unauthorized disclosure of information
- unauthorized use of a system to process, store, or transmit data
- changes to system hardware, firmware, or software characteristics without the knowledge or consent of you or of the asset owner
- unusual  system resource usage lifecycle, status and errors reported by systems and hardware devices, file system warnings (low freespace, too many open files, file exceeding allocated size)
- presence of new services and device, actions requiring special privileges

Other log can include applications- and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server logs, modem logs, firewall logs, SNMP logs, DNS logs, intrusion detection system logs, database management system logs.

Some anomalous activities to watch on the wire can include
- some exfiltration traffic to get out this "loot" so look for odd hours or connections made at unusual times,
- unusual high outbound port, surge in traffic payload,
- unexpected changes in network performance such as variations in traffic load at specified times and it can be hogging transaction eating the bandwidth,
- brute force attempts which can include attempts (either failed or successful) to gain unauthorized access to a system or its data, and repeated, failed connection attempts
- beacons to certain "country" that has no dealing with the businesses, or traffic coming from or going to unexpected locations
- non legit attempts such as remote access or IRC attempts, unwanted disruption or denial of service, unauthorized scans and probes
- non-standard or malformed packets (protocol violations) that can also include
multiple secure shortlived channel that can be non SSL standard based

Likewise, to prevent aftereffect spreading
- stop any use of USB drive or external drive to check and scan them for any malware as it may also attempt to infect the drive if plugged into the infected machine.
- check on the unauthorised s/w such as remote access tool (RAT), psexec, etc and the key is find any hacking or equivalent tools that is beyond the normal administrative toolkit that the business is using for maintenance or upgrading or daily routine.

Pls do keep the customer informed when the threat is remediated and focus to form the team to handle the external and internal comms - note if there are any legal notification period mandatory to adhere and alert as well.

Expert Comment

by:Jason Johanknecht
ID: 40388771
Test for poweliks virus using Roguekiller (Or Roguekiller64), as I have seen this same issue recenlty.  Combofix is the fastest way to clean the system if Roguekiller detects over and over but never successfully cleans.
LVL 64

Expert Comment

ID: 40389493
You can try the TDSSKiller and MalwareBytes Anti-Rootkit but importantly it is to isolated the affected, find the IOC (indicato rof compromise) and assess the damage for recovery concurrent. the security firms suggested by Richrumble is also good and I like to add on CO3 too ( Mandiant also has couple of handy IOC toolkit too such as IOCfinder ( and has Redline & OpenIOC to Build Effective Indicators ( - overall to help in dissecting the cyber kill chain

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question