It's finally Friday. You're looking forward to a long 3-day weekend at that exclusive resort you've been wanting to try. Just before you leave the office, a user complains that the network is running slowly, particularly when he tries to access the Internet. You check it out and discover that the server and network are indeed incredibly slow. You check your firewall's traffic statistics and notice unusually heavy Internet traffic. You run the Netstat command on the server and find several unauthorized connections to your server that look like they're coming from the Internet. You check the server's registry and notice several unfamiliar programs set to automatically load. Cancel your plans; you have a long weekend of work ahead. You've just been hacked.
Depending on the nature of the attack, it's not always easy to determine that you've been hacked. Knowing where to look and what to look for can help you discover hacks and take remedial action before they cause additional damage. I'll show you where to begin looking for malicious programs that can wreak havoc on your systems, and I'll help you develop a hacking recovery plan. I'll wrap up with three case studies that show how I used these tactics to help organizations detect and recover from a network hack and prevent future attacks.
Where to Look
Obviously, you need to find a hack before you can take measures to stop the attack and recover from it. Where do you begin? Every hack is unique, but you should always check certain places first. Here are the key locations in which to start your search.
Registry subkeys. If you suspect that a particular machine has been hacked, check the Run subkeys in that machine's registry first. Look for any unfamiliar programs that load from these subkeys. Not only do attackers favor the Run subkeys as a launching point for rogue programs, but intruders can launch viruses from those subkeys as well. The subkeys apply to Windows Server 2003, Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. The specific subkeys to check are:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
If you're running Windows 2003, XP, Win2K, or NT systems, you also need to check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run subkey.
Any program that you don't recognize is a potential hacking program. Use Google or a similar search engine to search the Internet for the program name and determine whether the program is legitimate. You should be especially suspicious of programs that load from C:, C:\windows, and C:\windows\system32. I strongly suggest that you make a habit of regularly reviewing these registry keys so you become familiar with all the programs that are set to automatically load on your computers.
The following subkeys are less commonly used to launch hacking programs, but you need to check them also. These subkeys apply to all Windows OSs. If the default registry key contains a value other than "%1" %*, the program is most likely a hacker program.
- HKEY_CLASSES_ROOT\batfile\shell\open\command
- HKEY_CLASSES_ROOT\comfile\shell\open\command
- HKEY_CLASSES_ROOT\exefile\shell\open\command
- HKEY_CLASSES_ROOT\htafile\shell\open\command
- HKEY_CLASSES_ROOT\piffile\shell\open\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafila\shell\open\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
Services. Review the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry subkey on all Windows OSs. The entries under this subkey specify the services that are defined on your computer. I suggest that you look directly in the registry instead of using Windows' Services GUI because some services (e.g., Type 1 services) don't show up in the Services GUI. Again, check for programs you don't recognize. If possible, compare the Services subkey entries and values to a machine that you know is hack-free and investigate any differences you find.
Startup Folder. Check the C:\Documents and Settings\All Users\Start Menu\Programs\Startup and C:\Documents and Settings\user_name>\Start Menu\Programs\Startup folders for unfamiliar programs and hidden files. To display a list of hidden files in the current folder and any subfolders, at a command prompt, enter
dir /a h /s
Task Scheduler. Check the C:\windows\tasks folder for unauthorized tasks. Investigate any scheduled task that you don't recognize.
Win.ini. Malicious users can load hacking programs automatically from C:\windows\win.ini. Look in the following section of the win.ini file:
[windows]
Run=
Load=
Any program listed after Run= or Load= will load automatically when Windows starts.
System.ini. Intruders can use shell commands to load programs in C:\windows\system.ini. Search system.ini for:
[boot]
shell=explorer.exe
Any program listed after explorer.exe will load automatically when Windows starts.
Other locations exist from which a hacker can automatically load programs to launch when Windows starts. Sysinternals' Autoruns freeware utility shows you which programs are configured to load during startup on NT and later systems. You can download the tool from http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml.
Open Ports and Unauthorized Users
After you've run your initial key-locations check for hacking activity, look for unexpected or suspicious open ports.
Root kits are stealth programs that run at the OS level and open ports on a compromised machine that an intruder can use for remote access. Root kits are common in the UNIX world, but more and more malicious hackers are writing them to exploit Windows. To determine connections and listening ports on a Windows-based computer, open a command line and run the command
Netstat -a
Table 1 lists ports that you'll typically find open on an XP computer. Don't be alarmed if you see more open ports on your particular workstation or server. Ports can be dynamically assigned depending on the type of service. For example, remote procedure calls (RPCs) use dynamic ports when you remotely administer DHCP and WINs. For more information, refer to the Microsoft article "How To Configure RPC Dynamic Port Allocation to Work with Firewall" at http://support.microsoft.com/?kbid=15459. When you run Netstat, look for the following items:
- A large number (10 or more, depending on your environment) of established connections, especially to IP addresses outside your company.
- Unexpected open ports, especially high-order ports (i.e., port numbers larger than 1024). Hacking programs and root kits often use high-order ports to establish remote connections.
- Many pending connection attempts, which is a sign of a possible SYN flood attack.
- Unrecognized batch files. Some root kits create batch files in the following folders: C:\, C:\winnt\, C:\windows\, C:\winnt\system32, and C:\windows\system32. Root kits or other unauthorized programs can also create files and folders under the Recycle Bin, so look for hidden or unauthorized folders within the Recycle Bin folder. By default, the Recycle Bin files are located in the C:\recycler folder. Be suspicious of files and folders that still exist after you empty the Recycle Bin.
Previous
)
)
)
Register
horseman69 October 12, 2004 (Article Rating: