IT Security Information — I'm Infected, Now What?

Last Updated: 06/21/2011

Overview

If you suspect that your computer system has been infected by a virus, worm, or compromised in any way, read below.

Signs that your system might be infected or compromised:

  • You or your Computer Support Representative (CSR) have been contacted by the IT Security Team (you can confirm the information by contacting the IT Service Center at 303-735-4357).
  • Your system shuts down spontaneously and frequently, even if you don't use it.
  • Your internet connection slows to a crawl even while you are not doing anything significant.
  • Your virus scanner crashes and cannot be started again.
  • You are no longer able to visit antivirus sites.
  • Your hard disk fills up and you can't find the files that use up all the disk space.

What should you do when your system has been compromised?

  1. CSRs and system administrators should refer to the technical instructions below
  2. Contact the IT Security Office by calling 5-HELP and the IT Service Center will take your information. The IT Security Office will provide information on how to remediate your system. In many cases the only way to be certain that your system can not be used by an attack is to reinstall the system.
  3. Change passwords on any computer you use, including email and IdentiKey passwords.
  4. Complete the remediation of the system.
  5. Contact the IT Service Center (at 5-HELP) to notify ITS that you have resolved the problem. Please leave the computer turned on and connected to the network.
  6. OIT will scan the system to verify that there are no serious network vulnerabilities remaining. Based on the scan results OIT will restore network access. Once you have contacted OIT it may take up to a one business day to have the scan completed and network access restored.
  7. OIT will send an email notification to you and your CSR when access is restored.

 

Technical Instructions for System Administrators and CSRs

These instructions are only intended to help understand what has happened to a system and the extent of the intrusion. Once you understand what has happened to your system it is strongly advisable to rebuild the system. Reinstalling all system files from vendor supplied media guarantees that all system files are "clean." Configuration files have to be examined and cleaned as well. It is important to understand that reinstalling the system from a backup is NOT recommended, as the backup files also may have been compromised. While this step can be tedious and time consuming, it is imperative in the "sanitation" process. However, without this step your system will not be secure enough to prevent a similar intrusion. Remember to apply all appropriate security patches once the system installation is complete (preferably prior to reconfiguration).

These instructions are really only useful if you have a very good understanding of your system. A snapshot or record of system configuration information is required so that you can compare the normal system state and the questionable state.

  1. Change system password
    While at times suspected intrusion may turn out to be a "false alarm" it is imperative that you change all passwords to privileged accounts on the suspected system, as well as on other proxied systems. Remember that privileged accounts include those to which administrative functions have been delegated (e.g., accounts listed in "sudoers," accounts which have been granted backup permissions, full access to local device, etc.)
     
  2. Ask the IT Security Office to perform a network vulnerability scan of the system
    The scan will report any open ports on your system and possibly vulnerabilities which could be used to gain access to the system. ITS may also be able to provide you with recent network traffic data to the questionable system.
     
  3. Check the system for new accounts
    Inspection of the passwd and group files on most UNIX systems or in User Management control panel on Windows systems the can reveal an intrusion. It is possible that the intruder(s) created new account(s) with special privileges. Such accounts are usually used by the intruder(s) as a back door into the system.
     
  4. Review log files
    • Unless you already have a clear data file of how the system has been compromised, the first thing to do is examine the log files for unusual events.
    • Look for modifications made to system software and configuration files. This is a more difficult and time-consuming task, but often necessary to avoid a redundant system re-install. This step is productive only in cases where you already have configured your system previously with security in mind. This is to say, you have installed and ran software like Tripwire, which registers the MD5 checksum of various systems binaries, etc. In such case, you can systematically detect Trojan horse binaries or modifications to system configuration files. If you have not previously run system security software, go to the next step.
  5. Scan system for new binaries (including user directories) and binaries which are loaded at boot.
    • A scan of your system can detect newly installed software in directories accessible only through privileged access. This in turn can reveal intrusion. Scanning user directories can reveal binaries or scripts with the setuid/setgid bits turned on, also indicating a potential intrusion. You should use a trusted tool to scan for files as the attacker may have replaced binaries such as ls or find.\
    • Check your rc.d and inet.d configuration files for new services which will start at boot. On windows systems check for new services, new Start Menu startup items, and the registry (e.g., HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys) for binaries which will load at boot.
  6. Check other local systems
    In many cases, when a system is compromised, the attack either started on another local machine or sprung to other local machines. This is more likely in environments with several servers configured for trust relationships or in departments that share the same local network segment (broadcast domain). Pay close attention to the login records on your system and systems which:
    • have common user accounts
    • "trust" your system (e.g., permit remote shell functions, obtain password files, etc.)

If you determine that the system has been broken into contact the IT Security Office for consultation on remediation.