Dealing with Windows break-ins
Note: This information is provided to help people whose machines are not supported by SCS Facilities, and who are dealing with a host that has been broken into. If your machine is suppported by SCS Facilities and has been broken into, send mail to firstname.lastname@example.org or call the SCS Help Desk (x8-4231; M-F, 9-5) and somebody from Facilities will fix your machine. The off-site links on this page will open in a new browser window.
Detecting a break-in
Dealing with a break-in (by a person) is a bit different from dealing with an infection by a worm or virus since an intruder may have made multiple, unpredictable changes. If an intruder is sufficiently clever, you will not, under normal circumstances, be able to detect that your machine has been broken into. Fortunately, most intruders are not that clever. Some signs that your host may have been broken into are:
- Unexpected file-system activity, such having much less free disk space than anticipated, the appearance of strange files, etc.
- Strange processes appearing in the task manager (note that there are ways to hide processes from appearing in the task manager).
- Things listening on non-standard ports. You can run netstat -aon on Windows XP hosts to see which processes are listening on ports. However, note that it is possible for a rootkit to hide such processes.
- Complaints about unexpected or hostile network activity involving your machine.
- Unexpected accounts or shares being created on your machine. For example, a guest account that is in the Administrators group or the C drive being shared.
- Your anti-virus software complaining about a back-door trojan that was found on your system.
If you do find out that your machine has been broken into, you should contact SCS Facilities if the machine is a SCS host or on the SCS network and let us know about the break-in. If the host is maintained by us, we will fix it. If the machine is not maintained by SCS Facilities, then you have two choices:
- Re-install it: Re-installation is the safest thing to do in case of a break-in, since it can be extremely difficult to clean up a host. Be very sure to back-up your data (but not executables) before re-formatting and re-installing your operating system. All files that are copied to the re-installed host should be scanned with up-to-date anti-virus software. Be sure your apply all necessary patches to the re-installed host immediately after installation.
- Try to fix your machine: Trying to fix your machine (as opposed to reformating and re-installing) is not recommended, since you can usually never be sure that you removed all backdoors left behind by the intruder.
Note that it is possible that an intruder will have installed software on your PC that can sniff your keystrokes. For that reason, you should change all passwords that you may have typed on your PC since the break-in. An intruder may also have stolen any hashed passwords stored on your PC and could subject them to an off-line attack. You should change any local passwords, such as the local Administrator password, that might be stored on your PC.
Cleaning up a hacked or infected PC
This information is provided as a service to people in the SCS community who are dealing with a non-supported PC that has been hacked. SCS Facilities takes NO responsibility for data loss or other problems that may result by using this information, and can provide little or no assistance in fixing non-supported PCs
If somebody has broken into your PC, you should expect that they will have done one or more of the following:
- Installed specialized software, in order to provide a backdoor into your system or remotely control your system
- Modified system settings and/or account information to provide additional ways to break-in to your system.
- Installed other software, such as a keystroke sniffer, warez server software, denial of service tools, etc.
It is likely that they could have installed more sophisticated software, such as an Windows rootkit. Such software will very likely not be detected by the procedures described here, which is why re-installation is the safest choice.
The basic cleanup procedure is divided into several parts:
- Kill/remove running programs and services that were installed by the intruder.
- Remove files that the intruder modified or installed.
- Check for backdoor startup programs.
- Remove configuration-based backdoors.
- Patch the system.
- Cross your fingers and be alert for signs of another break-in.
Whenever possible, these steps should be done while the machine is disconnected from the network, so that an intruder isn't modifying files as you are working on cleaning things up.
Some useful tools and reference sitesThe list below has pointers to some tools and sites that are useful for cleaning up hacked hosts.
Note: None of the tools listed below are maintained by SCS Facilities. Use at your own risk.
- Sysinternals tools (from Microsoft)
- A large collection of tools for finding out what's happening on a PC. Some particular tools of interest: TCPView, AutoRuns, , Process Explorer and RootkitRevealer.
- Scans your PC for settings that are commonly changed by malware. Note: This tool allows you to easily change/remove settings in ways that can break your PC. Be careful when making changes to your PC with this tool.
- Searchable database of system startup entries and CLSIDs (used by browser helper objects).
- Information about Windows startup programs.
- Searchable mirror of the pacs-portal Windows startup information
- CLSID/BHO list
Identify services and backdoors
As a first step in cleaning up your system, you should run an up-to-date virus checker and scan all files on your PC. This will catch many backdoors, but will not catch processes such as FTP servers and some other backdoors that the intruder may have installed. You should also run a program that lists open ports and associated processes (several such tools are listed above). Nuke everything that shouldn't be there. If you are in doubt about whether a process is legitimate, see one of the reference sites listed above (though it's still possible that the actual Windows binary on the PC has been replaced or modified).
Remove files that the intruder modified or installed
If you have an idea when your PC was broken into, you should do a search for all files (be sure to include hidden files in your search) that have been created or modified since around the time of the break-in. In many cases, files will be hidden in places like the Recycler folder, or given names that are similar to or the same as legitimate Windows files. You should also be aware that intruders may use NTFS streams (pdf) to hide data. You should remove files that are obviously left behind by the intruder (such as warez distribution directories). Some files may have names (such as "LPT1") that make them difficult to remove. See Microsoft knowledge base article 120716 for information on removing these files in Windows NT and 2000, and MS KB article 315226 for information on how to remove these files in Windows XP.
In Windows 2000 and XP, you can run sigverif.exe from a command shell to check for system files that are not digitally signed by Microsoft (though be aware that there are ways that an intruder can circumvent this verification).
Check for startup programs
One of the things intruders are likely to do is to make sure that programs that they installed will run after a reboot. To do this, they will install backdoors as services (which you should already have cleaned up in step 1), schedule them as "at jobs", or add them to the list of programs that startup at boot, when a user logs in, or in response to other system events. To check for at jobs, type at at a command prompt. There are numerous folders and registry keys that will need to be checked to detect the various other ways that programs can be started, depending on your version of Windows. To list startup programs, run msconfig.exe or use (for example) the AutoRuns program from Sysinternals (listed in the tools section above).
Check for configuration-based backdoors
Among the common things that an intruder may do in order to ensure continued access to a system are:
- Enabling the Guest account and adding it to the administrators group.
- Creating another local account in the administrators group.
- Changing account passwords.
- Opening up the C: or other drives for sharing.
- Adding trojan CGI scripts (such as adding a renamed cmd.exe to the IIS scripts directory) to web servers in order to allow remote command execution.
- Modifying SQL server accounts or stored procedures.
After a break-in, you should check the machine's shares and accounts. Make sure that all accounts have good passwords. If you are running a Web server and/or SQL server, you will need to carefully look at their configuration to make sure the intruder has not left behind a backdoor The Microsoft Baseline Security Analyzer can help identify some some basic security misconfigurations, but it will not identify all problems nor many of the backdoors that an intruder may have installed.
Patch your system
At this point, you should have cleaned up all obvious backdoors and security holes. The two questions that need to be addressed at this point (if you haven't already done so), are:
- How did the intruder break in to your PC?
- How can future break-ins be prevented?
Sometimes, as in the case of an IIS worm, it will be obvious how the intruder broke in, other times (eg "Was the C: drive shared before or after the break-in?") it won't be so obvious. In either case, you will need make sure that all patches be applied to your system. It's recommended that you run the Microsoft Baseline Security Analyzer to identify needed patches and other possible configuration problems. If you are running IIS, see our page on running Windows services for some pointers to secure your IIS installation.
Cross your fingers
After a break-in, unless you re-install, you can never be 100% sure that you've cleaned up all backdoors left by an intruder. After you think you've cleaned up the system, you should keep an eye out for any strange behavior. This means periodically checking with Vision or some other port monitoring tool to make sure that a backdoor isn't listening on some port. Also, keep an eye on the security logs (you may wish to turn on some amount of auditing if you haven't already done so), and watch out for any changes in accounts or sharing status.