How to check, if your machine is compromised...

[highchilled 3]

Hello!


I want to start a little discussion about the this topic with you guys here:
How to find out if you are compromised (your machines, servers, routers, etc.)?

If you suspect to be compromised, what are the first things you are looking for?

Sth like:

- High RAM/Processor usage, when actually no prog is running
- Weird packages in wireshark and other protocol analyzers found
- Connection drops, reconnects, timeouts, delays, etc.
- Changes on the system you didn't make by yourself
- Browser Infiltration (Pop-Up's, Add-on's, long loading-times etc.)


I know this topic is really BIG, as there are a lot of different OS's and systems out there.

But I like to hear anything and I would appreciate your answers


regards,
me

[OpenSourcerer 1359]

Antivirus. /s

[ɹoɹɹǝ 26]

I use Linux, so I don't worry too much about viruses/malware/spyware. But I do keep my kernel updated to the latest mainline/stable release, as the Linux equivalent for an anti-virus is keeping your kernel updated... Also, I use ClamAV. It isn't the best anti-virus, but it will protect me from some potential Windows viruses before I run them in Wine. Usually, when it detects something, I scan it on VirusTotal to get a better opinion (as ClamAV is not the best, but it's not horrible either...) and to see which files it creates, and which IP's/DNS's it communicates with. But with every operating system, I tend to worry about my applications security first, then my actual operating system. As long as you keep your applications updated and secure Firefox (or whatever browser you use, but open-source is king when it comes to privacy/security), you will have a very minimal chance of getting a virus. Oh, and common sense, too.

[me.moo@posteo.me 80]

Examine current processes and what is due to run at startup. As @ɹoɹɹǝ wrote too.

 

Edit: I do not require anyones input, I know what I am doing thanks very much.

[highchilled 3]

Antivirus. /s

In my opinion, AV'S make a system rather more insecure, than secure

 

 

Examine current processes and what is due to run at startup. As @ɹoɹɹǝ wrote too.

Somebody who has a little bit knowledge will rename the process and it not use much capacity, so by watching the processes, you won't detect it.

If you're in a botnet or sth, then you will see the process eating resources, if you have a simple reverse shell on your system - then no chance.

 

 

I use Linux, so I don't worry too much about viruses/malware/spyware. But I do keep my kernel updated to the latest mainline/stable release, as the Linux equivalent for an anti-virus is keeping your kernel updated... Also, I use ClamAV. It isn't the best anti-virus, but it will protect me from some potential Windows viruses before I run them in Wine. Usually, when it detects something, I scan it on VirusTotal to get a better opinion (as ClamAV is not the best, but it's not horrible either...) and to see which files it creates, and which IP's/DNS's it communicates with. But with every operating system, I tend to worry about my applications security first, then my actual operating system. As long as you keep your applications updated and secure Firefox (or whatever browser you use, but open-source is king when it comes to privacy/security), you will have a very minimal chance of getting a virus. Oh, and common sense, too.

I use everything, MAC, Windows, Linux...

If it comes to viruses, with linux you are right.

If it comes to an aimed attack on your personal machine - linux is also vulnerable..

 

 

regards,

me

 

[itguy2017 25]

Security Analyst and Senior Network Engineer here. I've worked for several AV companies as well.

 

Common themes that may indicate a compromise;

 

1) Slowdowns, Lag, hitching on the PC.

2) Website load errors. For MiTM and State Sponsored Injections it's very common to notice webpages don't load properly at times. Often requiring the browser to hit-reload on a web page. This is very common with Man in the Middle types of interception on your machine. One way to test is to go to a site with an Extended Validation Certificate (EVC), if it hitches there it's a good chance you are MiTM'd. Then you need to start looking for forged or self-issued Root CA's on the machine, proxies and forged CA's in the browser, etc.

3) Recurrent infections/compromises. If you fix things and they happen again it's time to start looking for things like NIC and HD firmware compromises. We isolated a CIA compromise 9 years ago that allowed exploits to be reinstalled from HD firmware. I had a stack of 7 hard drives that kept reinstalling exploits even after OS format. Later, Snowden documents revealed HD FW is compromised.

4) APPINIT, check your registry for APPINIT, this is a DLL preload before the launch of normal programs. Delete them from Registry. We found compromises a few years ago that launched a DLL over top of Chrome as it was launched with a 'shadow' Chrome running on top of the real one. A second icon for Chrome overlayed the normal one on the taskbar so most people wouldn't notice.

5) Fake OpenSource programs. NSA/CIA both have their own fake compiled Firefox browsers for example. Functionally and visually identical to NORMAL Firefox, but they own it and they can do what they want when it's installed. We've isolated these in a few cases over the years. This doesn't mean to give up your opensource, it means be very careful and source them properly and be aware of versions and MD5 signatures of apps.

6) Watch your directory structure. Often we find exploits installed in a directory off of C:\ or on C: root. A lot of anti-malware products scan the 'most common threat surface locations' (program files, user/appdata, windows/system32, etc. Totally avoiding malware installed elsewhere. That's how 'quick scans' are so quick with most products. Do full-scans with your products and be observant of rogue directories!

7) Watch how WIFi works.. Disconnects and Reconnects? It's not always your WiFi... Also watch for hidden and/or sporadic appearance of WiFi adapters on your devices. We found a laptop that was being used as a Rogue-AP in broadcast mode to connect to the internal network by utilizing the laptop as an AP itself. Very interesting, very effective. We caught it by observing the unstable WiFi and what happened during the instability, a rogue AP popped up each time disconnecting the user for a second or two.

8) DISCERN, AWARE.. Watch for anomalies. Almost all of the threats we find present anomalies on the system at some level. Even the big stuff, from NSA/CIA presents anomalies to the observant person. Their best stuff isn't immune to not impacting the system, stability or presenting oddities to even the untrained eye.

 

That should cover most things.

[serenacat 83]

I was updating myself with this thread about proactive detection of botnet/ddos/malware activity by a government agency and ISPs in Australia, with a feedback path to the internet user of diagnostic and request to rectify, and potential threat of disconnection.

https://forums.whirlpool.net.au/forum-replies.cfm?t=2593571

One could debate about the merits of this "intrusion", but reading the comments you will see many people are positive in attitude, and appreciate the detection, and fix their malware infections - sometimes in routers, or PC, or now wifi connected phones or SmartTVs, security cameras, etc, etc.

But if using a VPN, malware traffic such as spam, ddos, attack scans, etc emit from the VPN exit node. Reading the Air Terms of Service, such would violate section 4, and justify section 5 termination of service.

But is there a detection of such traffic on the Air exit nodes and a similar "feedback path" to customers to help them rectify the problem, which in most cases they would be unaware ? It is undesirable that exit node IP addresses be blacklisted or burdened with extra captchas.

Many AirVPN users such as myself are probably better than most at avoiding malware infection, but VPN usage is becoming more "mainstream".

[John Gow 12]

I use Linux, so I don't worry too much about viruses/malware/spyware. But I do keep my kernel updated to the latest mainline/stable release, as the Linux equivalent for an anti-virus is keeping your kernel updated... Also, I use ClamAV. It isn't the best anti-virus, but it will protect me from some potential Windows viruses before I run them in Wine. Usually, when it detects something, I scan it on VirusTotal to get a better opinion (as ClamAV is not the best, but it's not horrible either...) and to see which files it creates, and which IP's/DNS's it communicates with. But with every operating system, I tend to worry about my applications security first, then my actual operating system. As long as you keep your applications updated and secure Firefox (or whatever browser you use, but open-source is king when it comes to privacy/security), you will have a very minimal chance of getting a virus. Oh, and common sense, too.

 

Have to chime in here, as I was bulldozed by a neighbor/script kiddy, on linux and osx machines. Have a copy of the poisoned linux install usb just to remind myself.

 

It's very easy to go down a rabbithole on infosec, especially if you do not come from a background with any kind of training in security/coding/networks. For me learning linux was a baptism by fire. It really sucked.

If I could impart my layman's advice, it would be to never make assumptions about anything. Of course, one has to trust something. You have to trust Linus Torvalds and Richard Stahlman or else you shouldn't be using the internet. You have to trust the AirVPN guys, and the open source community, and that people will slow down when the light turns red and  not  run you over...  Do not trust in the human warmth and kindness of Microsoft.

 

That being said, most hacking does not come from the CIA and stuff, though I SERIOUSLY APPRECIATE people like itguy2017 who are willing to help the clueless such as myself in becoming more secure online.

 

I think most compromising comes from uninformed, big assumptions, like "well, this gateway modem that Warner Cable leases to me has to be MOSTLY SECURE, right?" Or, "I will open this e-mail from LinkedIn saying I have a new friend." and similarly common assumptions that lead to CIA directors and presidential candidates getting kicked to the curb. If you are not trained in infosec, you won't know the difference between being hacked by some intel guy helming a botnet and normal logfile noise.  You will go mad trying to discern noise from actual problems, as I did, as many people who look at security logs for a living must at some point or another.

 

The most likely reason a compromise happens is ignorance of the attack surface and plain old oversight. There is no patch for stupid, as the old security adage goes.

 

I think understanding how routers work is a nice step. I like it because its concrete, the security is measurable, unlike the infinite wasteland of the M$ registry.

https://routersecurity.org is a good site for learning the intro bits and main issues/risks. Defcon router tinkerer runs it and he's very nice.