Signs of a computer break-in

With all of the automated probing of computer systems by hackers, you should be alert for signs that your systems have been compromised.  If you notice anything at all different about any of your systems, you should be suspicious.

Some of the common things that I have run across when a system has been compromised, are new programs (or icons) showing up, icons having been moved, and new users being added.  Of course, one of the common signs is that your system runs slower, because it is busy doing the work that the hacker added to it.

You should periodically take a look at the programs installed on your system.  Your program list in Windows, or the “bin” directories on Linux/UNIX systems are the places to check for these.  Checking the creation date on any programs that you are suspicious of is not always reliable, as there are ways to make files look as if they were created at an earlier time.  However, in many cases these creation dates are correct.  So, if you see programs that were created at, say, 3:00 in the morning and you know that no one was working on your system at that time, it is safe to assume that they are malicious.

Likewise, if a periodic check of the user logins reveals any accounts that you do not recognize, you should assume that your systems has been broken into.  There are some system accounts (such as “sys” or “admin”) on many operating systems, that will need to be aware of, however.  Accounts that appear to be random characters, or often three letters like a person’s initials, are particularly suspect.

Another thing that I often check, is the open network connections.  Your operating system should have a utility to check this (“netstat” in many cases).  By running this, you will get a list of the currently open network connections, with the IP address of the remote system.  This IP address can be checked using an on-line lookup tool, to find the domain that it belongs to.  In this case, an open connection to a domain in China, when you have no customers or employees in China, would be a dead giveaway that something is amiss.

By keeping alert to any changes in your system, and being suspicious of their cause, you can usually minimize the damage in the event that your system is compromised.  Needless to say, that keeping everything up-to-date with the latest security patches, and practicing good security management, is the best way to prevent a computer break-in in the first place.

Leave a Reply