Compromised Computers

On this page:
What to do if you Suspect Problems?
Indications of a System Attack
What to do if your System is Attacked?
What NOT to do if your System is Attacked?

What to Do if You Suspect Problems

1. Review the indications of a system attack.
   This section lists common problems, their causes, and steps that you can take to determine if your problem is indeed the result of an attack on your machine.
2. After reviewing the indications of an attack and determining that your system might be compromised, learn what to do if your system is being attacked.

Important!: Respond to an attack only by reporting the incident and securing your system as instructed. Do not attempt to respond to the attacker yourself; an attack on your system will be dealt with in an official manner by IT Security Services. Information is available on what not to do if your system is being attacked.

Indications of a System Attack

If you are concerned that your computer has been compromised, look for signs that your computer may have been hacked:

• Exceptionally slow, unable to connect to network services, or simply non-functional
  These symptoms may be indicative of a "denial-of-service" attack (an attack aimed at preventing you from using a certain resource.) However, from time to time MITnet is down or exceptionally slow. If you find that you are unable to connect, first check to see if other people are having the same problem. If it is isolated to your system, and you have not received an email notifying you that your drop has been turned off, then the problem may indeed be the result of a malicious hacker.
• Unexplained disk activity
  Be aware that some systems do disk-related cleanup while the system is idle, so this may be merely system "housekeeping."
• Unusual log entries such as login failures, user additions/ deletions, or network connections to unfamiliar services.
• System appears to be less responsive than expected
  

What to Do if Your System is Attacked

1.  Disconnect the machine from the network. This will prevent an attacker from doing further damage to your system, and from using your system to attack others. To disconnect your machine, simply unplug the ethernet cable, or if the computer uses a wireless connection, either deconfigure the wireless card or physically pull the card out of the socket. If you are not sure how to disconnect from the network, contact the Service Desk at 3-1101.
   
   Note: Do NOT turn the machine off or reboot unless instructed to do so by IT Security. It is possible that processes left by an attacker may not get restarted after rebooting, which will make it more difficult for IT Security to determine the cause of your problem. Furthermore, other hacks left on the machine may take effect during reboot. Leave your computer powered on and disconnected from the network unless otherwise instructed.
2. Send email to security@mit.edu.
   Try to use a neighbor's machine or one of the public Athena workstations. Be sure to include the machine name, operating system type and version, contact person, and any other information relating to the suspected event.
   
   If unable to email, call the Help Desk at 3-1101 and provide them with the incident information.
   
   If follow-up is needed, someone from IT Security Support will get back to you.
3. To preserve system logs and other data, DO NOT use the machine after it has been disconnected from the network. Await follow-up from IT Security Support.
   
   You will receive a response from IT Security Support with further inquiries and instructions regarding your case. Once your system is secure, notification will be sent letting you know that it is safe to reconnect your machine to the network. Learn more about restoring network access.

What Not to Do if Your System is Attacked

If you believe you have been the victim of an attack, there are a number of things you should not do:

• Do not launch a return attack on the suspected source system.
  Incoming attacks often use forged source addresses, so that any repercussions fall to an innocent third party. Denial-of-Service attacks cause damage and inconvenience to innocent parties that share network or system resources with the actual party being attacked.
  
  Such attacks are a violation of the MITNet Rules of Use, and it is important that you maintain "innocent victim" status.
• Do not engage in a verbal/textual "flame war" with the suspected attacker.
  The actual identity of the attacker is often purposefully obscured, and your response may inadvertently target an innocent third party.
  
  Due to the possibility of legal ramifications, attacks on MITnet hosts are a matter to be dealt with officially by experienced IT Security staff only.