"Deep in the sea are riches beyond compare.
But if you seek safety, it is on the shore."

What to do you if you are attacked or hacked : Part One

Many computer users are "innocent" victims of internet and computer vandalism. Their computer has been attacked or even totally breached and its totally open to some hacker on the other side of the world. Or some co-worker or friend or wife (!!!) has installed some monitoring program onto it to see what are users doing with it which makes them easy to read all email, passphrases and so on. What ever the motives and goals for these people are we can only imagine. The problem is, that people who are not familiar with the computers and operating systems are usually totally unaware of all this. When they finally have a clue, they dont know what to do about it. I try to give some tips on how to reach in such cases where you believe that you are under attack or hacked.

How can you know?
How can you know you have been attacked or your system compromised? It might be hard or it might be very easy. If you have a firewall like ZoneAlarm, it might have logged a suspicious program trying to setup a server or your antivirus alerted you about some trojan. Or your internet connection is jammed or your firewall is screaming like its the end of the world and you are under DoS attack? Anyway, you should be sceptical, even paranoid. You can rarely know for sure. In generally, if you dont pay attention, you usually cant see it. Think. What is wrong here? Nothing? Why my system is not running as it should be? What was that warning I ignored before? What was that screen that popped up and wanished? Why did it take so long to boot? Why my settings have been changed, I know I didnt change them? Why are some files missing? What strange email I have "sent" from my computer that I dont recall? What is starting up in my computer? Why is my internet connection "working" hard even tought Im not doing anything?

Dont panic!
What to do if you (believe) that you are under attack? First, dont panic. If the hacker has gotten into your system, he might have already done the damage. If he isnt in yet, he may never get in. If the attack is net-based (like port scan, DoS attack or DNS spoofing that you somehow spot), then the best option might be to disconnect. Pull the plug out to be sure. On the other hand, if you know your defences are good, it might be wise to figure out who is trying do to or doing what to your system. If you disconnect, the hacker might notice it and figure out that you spotted him.

Remember that if you get hits to your firewall from outside, that simply means that your firewall is doing its job and that you are safe so there is no particular reason to disconnect. However, if you get very strange hits from inside your computer to out, then it is very important to disconnect to make sure that whatever it is, and that it will NOT get out to the net no matter what happens next. After you have made sure that hacker is not getting in/out of your system, then you have time to figure out and react to the attack much better.

Under DoS?
If your internet connection is jammed or firewall is screaming, then you might be under DDoSA. Distributed Denial of Service Attack. Then you need to either A) change your IP address B) adjust your computer and firewalls settings so it will hopefully block it C) contact your ISP and ofcourse D) check that you have the recent updates to your operating system. You might also concider buying a new networkcard and changing your computer and username to be sure that you cant be tracked or targetted again. Usually, you need to do all of them.

DDoSA is used to fill your connection and computers resources so it cannot be used at all. It is usually done just to harrash or revenge you since it isnt a real "threat" to your computer. It just prevents you (and perhaps dozens other people too since they can share your connection somehow) from using the net. There are plenty of different DoSA:s like "Smurf", "SYN flood", "Ping flood", "DNS attack", "Teardrop", "Stream", TFN", "Trinoo", "Stacheldraht", "TFN2K", etc. etc. But its not that important to know about them since there usually isnt much you can do without your ISP and he will tell you about it.

After you have recovered, it is crucial to avoid the same practises that putted you at the risk before. Be very carefull about your new IP address, use proxies to hide it.

Ports scanning?
If the hacker is not inside your computer but just scanning your ports, then you dont have much to worry about. If the hacker is scanning ONE or only few ports, then he might be trying to find a trojan horse and connect to it. He might be just guessing or he has planted an trojan horse onto your computer and is trying to connect to it. What ever it is, it is something you should react to then.

Please be carefull before you jump into conclusions here: 99% of all firewall alerts (atleast in ZoneAlarm) are not real "alerts" meaning that someone is actually trying to connect to your computer, but just internet backround noise. You can judge the severity of the connection attempts from the logs and checking what ports are used. Also, ZoneAlarm also gives you more information about the blocked connection if you want to. You can also check Google for more info: just type in "Port xxx" where xxx is the number of the port you are getting hits.

Again, only continous attempts to connect to your computer from the same IP are something to worry about. or attempts to connect from your computer to the network. Everything else...just forget it ok? Dont panic or start posting to newsgroups, forums or email any system administrators! DONT.

I recommend that you check my "Firewalls & ZoneAlarm" page for more information regarding firewalls and alerts.

-Markus Jansson