How to tell if your system is compromised
If you are noticing something odd about your systems behavior, your system may be under attack and can potentially be compromised. Signs that your system may be compromised include:
- Exceptionally slow network activity, disconnection from network service or unusual network traffic.
- A system alarm or similar indication from an intrusion detection tool
- Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods)
- Accounting discrepancies (e.g., someone notices an 18-minute gap in the accounting log in which there is no correlation)
- Unsuccessful logon attempts
- New user accounts of unknown origin
- Unusual log entries such as network connections to unfamiliar machines or services, login failures.
- New files of unknown origin and function
- Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files
- Unexplained addition, deletion, or modification of data
- Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console
- System crashes
- Poor system performance – System appears to be slower than normal and less responsive than expected. (Note: Unexplained disk activity might be due to disk-related system maintenance such as disk file clean-up while the system is idle, this is completely normal.)
- Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords
- Port Scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts)
- Unusual usage times (statistically, more security incidents occur during non-working hours than any other time)
- An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account
- Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)
For more detailed assistance in determining whether your system might have been compromised, please reference the following information from the CERT Coordination Center:
CERT Windows NT Intruder Detection Checklist
CERT Unix Intruder Detection Checklist
What to do if your system is being attacked
- Call the Helpdesk at 4-9800 or 4-9900 and report the issue directly.
- Record as much information as you possibly can on the attack and what has occurred on your machine. Include all log files, any applications information, and the frequency and time of the incident.
Things NOT to Do
Things that you should not do if your system is being attacked:
If you think that your system has been compromised, there are a number of things that you should not do. These are:
- DO NOT disconnect the machine from the network. This will prevent the investigator from examining the attack as it occurs and collect real-time data to be used against the attacker.
- DO NOT turn the machine off or reboot unless instructed to do so by a security team member. It is possible that the processes left by an attacker may not get restarted after rebooting, which may make it more difficult for a Network Security consultant to determine the root cause of the problem.
- DO NOT launch a return attack on a suspected source as most of the real attacks spoof their identity. Return attacks cause damage and inconvenience to innocent systems that share network or system resources with the system being attacked.
- DO NOT get into a verbal or textual exchange with the suspected attacker, as the actual identity is often purposefully obscured, and your response may abuse an innocent third party.