Hackers Guide to Being Hacked: How “Bad Guys” Take Control, and How to Take it Back. - hacked, hackers, security, recovery, repair, attackI've found an interesting blog about preventing/dectecting an attack. So let's blog it, you never know when this will come in handy...
How to Recover from an Attack.
Find the Affected Machine(s).
In some cases, like the website hijack or the "attack page" example, you'll know which machine has been affected. In most cases, however, you're going to have to find it.
The best tool for figuring out which computer has been compromised is netstat. Netstat reveals all the incoming and outgoing connections on a computer, and is available on Linux, Windows, and Mac.
Methodically check all the computers in your network using one of the netstat commands below:
Windows
1:
netstat -an | find "ESTABLISHED"
Mac / Linux
1:
netstat -an | grep ESTABLISHED
This command will show you all the established connections to the computer. It will be fairly obvious which machine is infected when you find it. For example, a Linux server infested with an SSH scanner (a script that breaks into your network, then tries to break into everyone else's) will have tons of connections to other networks with a destination port of 22.
A spam relay will have tons of connections to everywhere with a destination port of 25.
An FTP brute force attacker will have tons of connections to destination port 21.
...and so on.
When you find a machine that you suspect has been infected, run the same command as above again, only this time leave out the n switch:
Windows
1:
netstat -a | find "ESTABLISHED"
Mac / Linux
1:
netstat -a | grep ESTABLISHED
This will allow the system to resolve the IP addresses previously shown to their rDNS equivalents. We're looking for a dead giveaway here: connections to foreign countries. When you see 17 connections from Romania, Russian, Taiwan or some other foreign country, and you are not in that country, it is a dead giveaway.
Lastly, run netstat a final time to find the offending processes:
Windows
1:
netstat -ao | find "ESTABLISHED"
Mac / Linux
1:
netstat -ap | grep ESTABLISHED
Write down the offending processes. We'll need this list later.
Blockade your Network.
By now, you should have already downloaded m0n0wall - as I mentioned, you should have a firewall in the prevention steps. A hardware firewall is your best friend in mitigating the effects of a hack attack. While we originally implement a hardware firewall to keep bad guys out, if you've been compromised, you have a duty to mitigate the damage you are doing by keeping the probes, scans, spam, and other garbage in.
Turn on the outbound firewall, and set it to disallow all outbound traffic except traffic with a destination port of 80 or 443. This allows you to keep surfing the web and access secure sites to get more help and information to recover from the attack, but it keeps all the spam (destination port 25), port scans (many different ports), DoS attacks (ping), BotNets (usually IRC ports), and other nasty stuff from being able to leave your network, which renders them effectively useless to the attacker.