Helping people with computers... one answer at a time.
Unfortunately, it's extremely difficult for an average user to tell if a hack is in progress. I'll touch on a few ways and discuss prevention as best.
How can I tell if my computer is being hacked?
Oh, there are some clues which you might look for, and I'll review a few of those, but ultimately, there's no way for the average computer user to know with absolute certainty that a hacker's not in the process of weaseling in, or that they haven't already.
Perhaps now you understand why I talk so much about prevention.
And I'll talk about it some more.
I'll start by pointing out that there's no real definition of "hacked" to work from. We tend to think of it as someone gaining unauthorized access to your information, which is a fine, albeit a general definition. Unfortunately, it's not nearly enough to go on for the more rigorous definition that we would need to answer questions like, "What does it look like?" and "what do we look for?"
Heck, someone walking up to your computer and logging in as you because they know your password is a "hack", but there would be no malware or software trace left - other than perhaps something in the browser history.
Contrast that with external network attacks where someone remotely tries to penetrate the software or hardware that's protecting your computer from external access. While it's more likely to leave clues, it's not always guaranteed to be obvious, especially if you often access your computer yourself remotely.
Right away, you can see that things get complex.
The sad fact is that a sufficiently talented hacker might not leave any clues that you can easily find. This is one of the concepts that makes "rootkits" different than more traditional malware, like spyware or viruses; rootkits actually affect your system so that the normal ways of looking for files, for example, will not find them.
It takes special tools.
The same is true for just about any aspect of hacking - event logs can be emptied, file date and time stamps can be arbitrarily set or modified, files can be renamed or hidden, even malicious processes can be architected to run as part of some legitimate process, or simply look like a legitimate process themselves.
So, what can you do?
This is where I repeat the standard litany of "stay safe" advice:
Use a firewall.
Use anti-malware tools - both anti-virus and anti-spyware.
Keep your software as up-to-date as possible.
If a mobile machine, secure its internet connection.
Get educated about things like phishing scams, the dangers of email attachments, and just generally safe internet behavior.
I expand on these in what I often refer to as my most important article: Internet Safety: How do I keep my computer safe on the internet?, and I have recommendations for the tools to consider in this article: What Security Software do you recommend?
Prevention is much more effective by far than any attempts to detect a malicious intrusion, either during or after the event.
If you suspect that you have been hacked, the first thing to do is to run scans with your anti-malware tools. Make sure that they're up-to-date and that their databases are up-to-date as well, and then run full scans of your entire hard disk.
After that, things get fairly techie - which is why I said earlier that it's difficult (if not impossible) for the average computer user to determine what's happening.
I'll throw out some ideas, but don't feel bad if they're beyond you - this is tough stuff.
Because most malware these days is all about either communicating back over the internet or sending spam, the first thing that I would look at would be the internet activity happening on the machine. Look for processes that you don't recognize sending data to internet end points which you also don't recognize. Don't assume that they're evil without then researching them, but that's a place to start.
I'd use the same strategy for excessive disk activity as well.
It's worth looking at what's running on your machine as well - once again, looking for processes that you don't expect and then researching them.
If you're feeling particularly adventuresome (and you aren't the type to panic easily), then have a peek at the event viewer. The reason that I admonish the easily panicked not to look here is that there will be errors ... lots of them, in fact. That's normal, and that's because, to put it bluntly, the event log is a mess; occasionally, however, there can be clues in that mess. Exactly which clues are there is impossible to predict (remember, I said this was hard), but sometimes, they're helpful.
If you don't feel that you can trust your computer, then stop using it.
At least, stop using it until you can get to some reasonable level of confidence that all is as it should be, and that your next foray out to your online banking site won't result in, shall we say, "unexpected results".
Taking the time to secure your machine is important. Again, this is why I'm so adamant that prevention is so important.
It's significantly easier to prevent disaster than it is to recover from it.
PS: I'm always curious as to what techniques people use when they feel that their computer might be compromised - I certainly don't know them all. If you have a technique or suggestion that I haven't covered above, leave a comment.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.