Helping people with computers... one answer at a time.
Unfortunately, it's extremely difficult for an average user to tell if a hack is in progress. I'll touch on a few ways and discuss prevention as best.
How can I tell if my computer is being hacked?
•
You can't.
Oh, there are some clues which you might look for, and I'll review a few of those, but ultimately, there's no way for the average computer user to know with absolute certainty that a hacker's not in the process of weaseling in, or that they haven't already.
Perhaps now you understand why I talk so much about prevention.
And I'll talk about it some more.
•
What is a Hack, Anyway?
I'll start by pointing out that there's no real definition of "hacked" to work from. We tend to think of it as someone gaining unauthorized access to your information, which is a fine, albeit a general definition. Unfortunately, it's not nearly enough to go on for the more rigorous definition that we would need to answer questions like, "What does it look like?" and "what do we look for?"
Heck, someone walking up to your computer and logging in as you because they know your password is a "hack", but there would be no malware or software trace left - other than perhaps something in the browser history.
Contrast that with external network attacks where someone remotely tries to penetrate the software or hardware that's protecting your computer from external access. While it's more likely to leave clues, it's not always guaranteed to be obvious, especially if you often access your computer yourself remotely.
Right away, you can see that things get complex.
Hackers Don't Always Leave Clues
The sad fact is that a sufficiently talented hacker might not leave any clues that you can easily find. This is one of the concepts that makes "rootkits" different than more traditional malware, like spyware or viruses; rootkits actually affect your system so that the normal ways of looking for files, for example, will not find them.
It takes special tools.
The same is true for just about any aspect of hacking - event logs can be emptied, file date and time stamps can be arbitrarily set or modified, files can be renamed or hidden, even malicious processes can be architected to run as part of some legitimate process, or simply look like a legitimate process themselves.
So, what can you do?
First, Protect Yourself
This is where I repeat the standard litany of "stay safe" advice:
-
Use a firewall.
-
Use anti-malware tools - both anti-virus and anti-spyware.
-
Keep your software as up-to-date as possible.
-
If a mobile machine, secure its internet connection.
-
Get educated about things like phishing scams, the dangers of email attachments, and just generally safe internet behavior.
I expand on these in what I often refer to as my most important article: Internet Safety: How do I keep my computer safe on the internet?, and I have recommendations for the tools to consider in this article: What Security Software do you recommend?
Prevention is much more effective by far than any attempts to detect a malicious intrusion, either during or after the event.
Clues To Look For
If you suspect that you have been hacked, the first thing to do is to run scans with your anti-malware tools. Make sure that they're up-to-date and that their databases are up-to-date as well, and then run full scans of your entire hard disk.
After that, things get fairly techie - which is why I said earlier that it's difficult (if not impossible) for the average computer user to determine what's happening.
I'll throw out some ideas, but don't feel bad if they're beyond you - this is tough stuff.
Because most malware these days is all about either communicating back over the internet or sending spam, the first thing that I would look at would be the internet activity happening on the machine. Look for processes that you don't recognize sending data to internet end points which you also don't recognize. Don't assume that they're evil without then researching them, but that's a place to start.
I'd use the same strategy for excessive disk activity as well.
It's worth looking at what's running on your machine as well - once again, looking for processes that you don't expect and then researching them.
If you're feeling particularly adventuresome (and you aren't the type to panic easily), then have a peek at the event viewer. The reason that I admonish the easily panicked not to look here is that there will be errors ... lots of them, in fact. That's normal, and that's because, to put it bluntly, the event log is a mess; occasionally, however, there can be clues in that mess. Exactly which clues are there is impossible to predict (remember, I said this was hard), but sometimes, they're helpful.
If You Suspect You Have Been Or Are Being Hacked
If you don't feel that you can trust your computer, then stop using it.
At least, stop using it until you can get to some reasonable level of confidence that all is as it should be, and that your next foray out to your online banking site won't result in, shall we say, "unexpected results".
Taking the time to secure your machine is important. Again, this is why I'm so adamant that prevention is so important.
It's significantly easier to prevent disaster than it is to recover from it.
•
PS: I'm always curious as to what techniques people use when they feel that their computer might be compromised - I certainly don't know them all. If you have a technique or suggestion that I haven't covered above, leave a comment.
Article C4807 - April 30, 2011 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
May 3, 2011 1:46 PM
The computer can be booted from a CD/DVD with a Linux based boot disk when performing financial truncations if security is a real concern.
This process by passes the hard drive and any bad stuff lurking there, although it can take several minutes to load everything into RAM.
Many Linux boot disks come with all essential programs like Firefox and Open Office pre-installed.
http://www.knoppix.net/
http://www.ubuntu.com/download/ubuntu/download
May 10, 2011 11:30 PM
To determine if a machine is infected with malware, the Process Explorer is a useful initial and quick tool; monitoring the data transfer rate in quiescence using Network Connections or Local Area Connection Status can also provide useful information (as can some firewalls, such as Comodo). For an in-depth analysis, my tool of choice is Trend Micro's HijackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol;1), with analysis it at: http://www.ghacks.net/2008/02/08/hijackreader-analyse-hijackthis-results/ Many consider this the 'gold standard.'
When attempting to disinfect a Windows rig suspected of harboring malware, the procedure I invariably employ is to scan with at least one (usually more) third-party on-demand scanners, typically beginning with Malwarebytes Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1). If anything is found (or an infection still suspected), a full scan with SUPERAntiSpyware (http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=rb_content) would follow. Finally, a scan with Hitman Pro (http://download.cnet.com/Hitman-Pro-3-32-bit/3000-2239_4-10895604.html?tag=mncol;1) adds a very high degree of confidence. (Since on occasion a valid process may be tagged as malware, it is ALWAYS a good idea to backup all data, and set a Restore Point before beginning each scan. Also, as Leo points out, the latest version of the scanner is always employed, and the database updated immediately before starting the scan). I have yet to encounter a machine that gave any indication of infection after using these utilities.
(NOTE: Since running more than one anti-malware app at a time can really slow things down, I always temporarily disable the resident real-time scanner while performing the on-demand scans. Sometimes, a particular infection requires the on-demand scanners be installed - and run - in Safe Mode.)
August 3, 2011 8:52 AM
Stay away from using the Admin profile.. Create and use a standard profile.
November 11, 2011 3:13 PM
Turn on via LAN(Or 'Wake up via LAN') is where if you put your computer to sleep(i think it only applies to that), you can turn it back on with another device. For me though, I look at how my computer acts - if it's super slow, or is unstable. Or i'll look at the hard drive activity light. that's a few ways i do it.
January 7, 2013 11:47 AM
I have found an unauthorized password protected network has been set up on my computer by a housemate. How does this happen? Can it be accidental, somehow? Appears to be from their laptop, but I have had other people access my wifi without a network being set up. Whay can cause this and what can I do about it?
Did a search on AskLeo and brought me to this page, which did not answer my question. Can u?