digg

Facebook Connect Join Digg About

11 Things To Do After A Hack

searchwindowssecurity.techtarg… Here's a brief list of some steps to take "post-hack" to ensure you have the best chance of determining who did what and how it was done.

Who dugg this? Made popular Jan 27, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

51 Comments

show profanity settings
expand all
  • jafojsharp, on 10/12/2007, -0/+2I know that number 1 should be pull the network cord out of the NIC right away. Of course, maybe that requires too much common sence. I don;t care to track them at that point. I just want them off the box first.
  • vonskippy, on 10/12/2007, -0/+1Gosh Mr. Obvious - what's next?

    Stupid Article -doubtful the author has done anything more then read about these procedures in somebody else's "learn security in 24 hours" book.
  • d03boy, on 10/12/2007, -0/+1Who wrote this horrible article.

    "Shut down the computer."

    Serveres almost never get shut down. So when one does get shut down, you know someting is wrong. The hacker installs shutdown scripts to erase the hard drive when you shut down... this is why you should simply unplug the computer. No scripts can be run and you can make a bit by bit backup using another computer.
  • elrawtic, on 10/12/2007, -0/+1If you are finding out that you have been hacked after the crime has been committed, then it is most likely too late.
  • alpha-male, on 10/12/2007, -0/+1If you are a network admin and your network gets hacked, is it wise to tell the stakeholders right away. I think the chances are great that you'll be looking for a new job. In their eyes it was your job to keep this from happening, therefore you are part of reason the system was hacked. Sadly that is how management views things. When security is breached, first reaction is to fire the security admin.
  • docxxvi, on 10/12/2007, -0/+0hmmm... am i missing something or is this just common sense..

    dont get me wrong - good article - but one has to wonder why people need to be told, retold and continually told again about basic security procedures...

    maybe im just a whinger
  • capajc, on 10/12/2007, -0/+0Re: the last item, why wouldn't law enforcement get involved if a company is attacked?

    And I've seen the opposite: if it's a truly good security team with properly reviewed procedures and policies in place, management will back them up. It's the "cowboy freestyle" seat-of-their-pants idiot security managers who do (and should) be fired. But then, they should've been fired _anyway_, regardless of whether there was a breach.
  • Bluezdood, on 10/12/2007, -0/+0Good article. Dugg
  • muffinresearch, on 10/12/2007, -0/+0When I read the title I seriously though it was going to be a list like;

    1. Go for a beer
    2. Watch old VHS copies of Northern Exposure
    3. Order take out

    etc.....
  • TheKillDoctor, on 10/12/2007, -0/+0One would think that #1 or #2 would be disconnect the affected machine from the network.
  • aspirinetu, on 10/12/2007, -0/+0php-nuke... mmmh... not a great way to avoid hacks...
  • lwdallas, on 10/12/2007, -0/+0This is the lamest article I have ever read on security.

    No useful information. No Digg.
  • inactive, on 10/12/2007, -0/+0Some jackass in Portugal hacked my php-nuke website. I ended up opening the mysql db manually and found his email. After googling his email I found out quite a bit about the guy who did it (he participated in quite a few online forums. I sent him a kind email telling him he proved his point and please don't do it again. He never did it again.
  • alpha-male, on 10/12/2007, -0/+0RE: "And I've seen the opposite: if it's a truly good security team with properly reviewed procedures and policies in place, management will back them up."

    I guess is all goes by your definition of a truly good security team. One that gets hacked often, seldom, or never.
  • rolypolyman, on 10/12/2007, -0/+0"11. Know when to quit. -- Sometimes law enforcement won't get involved"
    How about "NEVER", unless you're a heavily capitalized company.
  • yesukai, on 10/12/2007, -0/+0YEah, I was expecting:
    1. Format your hard drive gov style with 52 overwrites.
    2. Start fabricating an alibi
    3. Dont tell anyone

    etc... then I realized its from the other side of things. So it should read:
    1. Have your IT guy restore everything to the backups you should have.
    2. Fire your IT guy and hire one who will be a little more dilligent with security
  • MikeF74, on 10/12/2007, -0/+0Wouldn't it be better to "Hibernate" the computer rather than shut it down? This would create a RAM snapshot that could be usefull.
  • Democritus2, on 10/12/2007, -0/+0Companies dont tell.

    A company whom we do one arm of business for, had their other arm hacked. Then a virus laden image was put on website. Everyone who viewed the site with unpatched MS os, was infected. They get a couple thousand unique hits a day. It was up for at least 3 days.

    Their attitude? Get it off, and forget about it.

  • kilmer, on 10/12/2007, -0/+0@ jafojsharp

    Your not necessary right on your thinking on what number one should be. If the system that was hacked is critical to your companies infrastructure and they need it to keep the business going then that is not always possible to do.

    Also you already got hacked how is unplugging the network cord going to stop what already happened. Maybe they will be stupid enough to come back and you can catch them then. The article said '11 Things to do after a hack' not '11 things to do during a hack'.
  • Kman, on 10/12/2007, -0/+0Things To Do After A Hack:

    1. Post a story about it on Digg.com
  • Veritas77, on 10/12/2007, -0/+0#12 ***** IIS

    #13 Install Linux
  • Veritas77, on 10/12/2007, -0/+0#14 Install Apache (that's important too :D)
  • jafojsharp, on 10/12/2007, -0/+0"If you are a network admin and your network gets hacked, is it wise to tell the stakeholders right away. I think the chances are great that you'll be looking for a new job. In their eyes it was your job to keep this from happening, therefore you are part of reason the system was hacked. Sadly that is how management views things. When security is breached, first reaction is to fire the security admin."

    As a part-time, once full-time, IT consultant I can tell you that most clients have to stick there foot in their mouth respectfully, because I can usually show them that their lackadaisical, penny-wise, pound foolish, attitude is what got them into that predicament. I had a client with 4 PC's running un-firewalled through a corporate VPN, including the server!!!! We kept telling them that we needed to work on firewalling those VPN's before they were hacked. Guess what they were hacked not once, but twice, and both times there data was lost. Then they finally got firewalled.
  • phill, on 10/12/2007, -0/+01) Gather info about the system and what's running on the system.
    2) Unplug the power, halting the system in it's tracks.
    3) Analyze your data about the hack.
    4) Swap the hard drive or server with a spare.
    5) Secure the system using the information from #3.
    6) Continue to analyze the hacked HDD in another system as a slave HDD.
    7) Bust that fool's head for cracking your box.

    These are the steps I preformed when I was hacked. I actually tracked the hacker to an IRC channel and talked with him. He broke into a DEV box that I had FTPd running on. During the analysis I found that my firewall was not blocking the NFS ports for my shares. So I fixed another hole in my network because of the hack. But since he was some kid in Romania, not much I could do about it anyway.
  • RevFry, on 10/12/2007, -0/+0Funny... I read the headline and thought it meant after a hacking session.

    "After a long coding session with the gang you should:

    1.) Go to Shari's
    2.).....
    "
  • BarNone49, on 10/12/2007, -0/+0Somewhere before shutdown you need to take a copy of physical RAM (before you do anything to the OS). You want to do this via tools on a USB key or something external. You do not want to hibernate the machine. There are also a lot more things that can be done before you shutdown or pull the plug.

    Newbs and script kiddies are the only ones who write to the hard disk...
  • caffeinated, on 10/12/2007, -0/+0If you believe your environment has been compromised, you NEED to rebuild. You will never be able to determine with absolute certainty that you've removed/cleaned the payload.
  • LabThug, on 10/12/2007, -0/+0#12 is to hire me to go "take care" of the hacker :-D
  • battybattybatt, on 10/12/2007, -0/+0"hmmm... am i missing something or is this just common sense..

    dont get me wrong - good article - but one has to wonder why people need to be told, retold and continually told again about basic security procedures...

    maybe im just a whinger
    posted by goatshed (0) at "

    If you as an ITmanager or employee are doing your jobs corectly, you are doing exactly this:
    people need to be told, retold and continually told again about basic security procedures.

    Part of the job.
  • battybattybatt, on 10/12/2007, -0/+0"...If you are a network admin and your network gets hacked, is it wise to tell the stakeholders right away. I think the chances are great that you'll be looking for a new job. In their eyes it was your job to keep this from happening, therefore you are part of reason the system was hacked. Sadly that is how management views things. When security is breached, first reaction is to fire the security admin.
    posted by alpha-male (0) at ..."

    If YOUR mamagement really views it like that, then you shouldnt be ther because you ave obviously failed in educating them!

    Also, you should get out of there anyway and find a company or school that KNOWS what is up or a group you can find that will listen and trust to learn from you!
  • battybattybatt, on 10/12/2007, -0/+0The dude is running a java script that loads in the BG and reports back to him you Router IP your Gatewqay Mask, and your inside IP - not too cool.
  • Democritus2, on 10/12/2007, -0/+0"But since he was some kid in Romania, not much I could do about it anyway."

    HAHAHAHA

    Yeah, sure. Just like one day some irc chatter told me they worked for CIA, while they were chatting from a HighSchool IP address. I was wondering what kind of person believes what others tell them on IRC. Guess I have my answer.
  • battybattybatt, on 10/12/2007, -0/+0"...#12 ***** IIS

    #13 Install Linux
    posted by Veritas77 (0) at 10:52 AM 1/27/06 score:--+3 Excellent+2 Insightful+1 UsefulRate Comment-1 Off Topic-2 Flame-3 SPAM [block/report]
    #14 Install Apache (that's important too :D)
    posted by Veritas77 (0) at 10:52 AM 1/27/06...

    And hopefully we will all see this moron coming!
  • battybattybatt, on 10/12/2007, -0/+0"...etc... then I realized its from the other side of things. So it should read:
    1. Have your IT guy restore everything to the backups you should have.
    2. Fire your IT guy and hire one who will be a little more dilligent with security

    posted by yesukai (0) at 11..."

    Those 2 are mutually exclusive in any company. And yet they are equal.

    HAving backups IS BEING DILIGENT. It is usually the BEST thing you can do - ESPECIALLY if you have a small IT dept!
  • missindependent, on 10/12/2007, -0/+0i thought this was a list of what to do to cover urself after hacking someone. um im sad now lol
    but i agree with those ppl who said this list is rather funny. first u should do is shut down the system then worrry who did it. dont rely on law too much, if u know how track & send bastard a virus hehe
  • Darkmoth, on 10/12/2007, -0/+0"If you believe your environment has been compromised, you NEED to rebuild. You will never be able to determine with absolute certainty that you've removed/cleaned the payload."

    QFT.

    Unplug. Archive your logs. Format. Rebuild. Talk the CEO off the ledge.

    THEN track the bastards down.

    At one place I worked, we used to have an informal contest describing nasty payloads we'd leave if we were fired. Once the designs started incorporating random numbers, viral seeding, and intemittent failures (the hardest type to localize), it got too scary and we stopped.
  • craterburnsu, on 10/12/2007, -0/+0alpha-male: Not nessisarily true, Usualy a buisness will look at the cost to keep you and the cost to replace you. Think about it this way, Everyone one runs sytems diffrently, Has diffrent passwords ect. As an admin you have most of that information exclusively, if they fire you, the new admin will probably cost the same to have around, but the cost of the time it will take to get him settled will be enourmous, re doing machine and server setups ect.

    In the end, it's all about Cost Vs Profit.
  • FelixdaaHack, on 10/12/2007, -0/+0"The dude is running a java script that loads in the BG and reports back to him you Router IP your Gatewqay Mask, and your inside IP - not too cool." posted by battybattybatt (0)

    Please enlighten us with your javascript skills...are you referring to a subnet mask?

    ***** Poser
  • alpha-male, on 10/12/2007, -0/+0craterburnsu:
    Not necessarily true, Usualy a buisness will look at the cost to keep you and the cost to replace you. Think about it this way, Everyone one runs sytems diffrently, Has diffrent passwords ect. As an admin you have most of that information exclusively, if they fire you, the new admin will probably cost the same to have around, but the cost of the time it will take to get him settled will be enourmous, re doing machine and server setups ect.

    In the end, it's all about Cost Vs Profit.

    You forgot to add in the cost of how much the company values its data and its integrity. It is not just about how much it cost to replace you. It is about how much money they lost because of you and if they are willing to pay that price again. You also have to look at it from a PR side. Managers will manage people and not technology. If say you work for a bank. Said bank is hacked. Word gets out that the bank was a victim of hacking. The first thing that management will do is fire the security guy and use him a scapegoat. When their customers ask about the breach, they will say they fired the security admin and the problem is solved. Chances are you won't be the soul proprietor of knowledge of the networks architecture. Maybe on a small scale business operation the managers would see it as more cost effective to keep you then find someone new.
  • xpsgen2man, on 10/12/2007, -0/+0lack of a life maybe ^^^
  • nfollmer, on 10/12/2007, -0/+0If you look at the other stories on here, you will see that battybattybatt will comment on something like 6 or 7 times right in a row.
  • 0Troy, on 10/12/2007, -0/+01. Secure the payload
    2. cover your tracks
    3. disconnect from unprotected wireless network you found
    4. change your MAC back
    5. leave

    It doesn't take 11 steps...
  • bananahands, on 10/12/2007, -0/+012. smoke a cigar
  • imightbewrong, on 10/12/2007, -0/+0not what i expected but cool (no cokes?)
  • compu73rg33k, on 10/12/2007, -0/+0Someone make a list of 11 things to do after you hack someone.

    1. Take a screenshot of the damage.
  • aptiva, on 10/12/2007, -0/+0heh.. step 5: isolate the machine, step 6: shut down the machine

    Doesn't step 6 make step 5 kinda redundant? :)
  • Sacrifusion, on 10/12/2007, -0/+0I misunderstood the title of this and thought, "drink a beer", "high-five your partner in crime". Ah, I see I am not the only one who read the same.
  • ivycress, on 10/12/2007, -0/+06) Continue to analyze the hacked HDD in another system as a slave HDD.
    _______
    That changes the evidence, and would not hold up in a court of law, if it comes to that.
  • davieboy, on 10/12/2007, -0/+0Interesting how the number 1 thing to do AFTER getting hacked is to ensure you "get a picture of your network and systems BEFORE the event"...
  • Tennen, on 10/12/2007, -1/+0I was expecting things do to to my victim :(

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.