OSU BuckeyeSecure | InformationSecurity / FAQ Incident

Site Menu

Recent News

The Compensating Controls & Exceptions Form is up

Here are the Compensating Controls & Exception process submision forms for the UCSS.

Security Boot Camp outline up for comment

The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here

Check the Blackhole List

To see the current Blackhole listing click here

Report an Incident

To report a security breach or other security incident send an email to Security@osu.edu

Incident Response Questions

I'm Seeing Suspicious Activity/An Attack From An OSU System

I'm under attack by a denial of service attack from one of OSU's address blocks.

You can contact the network security group by sending E-mail to security@osu.edu or use our web-based form. Note that we will need, at a minimum, the source IP address, the date, time and timezone of the activity that you are reporting, and a description of the suspicious activity. It is also helpful if you can give us the destination address or address range. In general, we will assign an incident number and get back to you after we've checked things out.

If you feel the matter requires urgent attention, such as in the case of an intrusion or denial of service attack in progress, you can page us at the number listed on the contact page. However, please do not use the pager except in case of an emergency.

How Can I Tell If I've Been Hacked?

It's generally difficult to tell if your system has been hacked for certain, but some things to look for include :

Your system clock suddenly switches from EDT/EST to some other timezone, and/or the time/date change dramatically.
The login procedure on your system changes, or you can no longer log in.
You find a directory named "...", or ".. ", or something simliar.
The system suddenly seems much slower, and you can't find a process or memory related reason for it.
You find processes running which don't seem to belong.
You find entries in your logs or using the last command, which show someone logged in, at odd hours or from non-local places.

If you have questions about something on the system, or suspect you have been attacked, please contact us, and let us know. We can answer any questions you might have, and may be able to tell you if your system has been attacked. We may also stop by and take a look at the machine, to verify a problem has occurred.

How can I secure my Windows/Unix/MacOS/Multics/... computer?

For details on specific operating systems, see the Host Best Practices document, which covers things in more detail. In general, the following will help you better secure whatever system you have.

Keep up with system patches, and keep the operating system itself up to date! (Plan on rebuilding most systems once per year)
Stop all running services which you don't intend to use on the machine.
When installing a machine, don't connect it up to the network until after you've patched and secured it.
Monitor the system logs daily/frequently, and log everything you can.
Use good passwords, the longer & more non-alphabetic the better. Change them often.
Use ssh instead of telnet, ftp, and rlogin/rsh.

Why does the security group say my computer is infected when the anti-virus scan comes up clean?

When we tell people that their computer is infected with something, we frequently get responses such as "my anti-virus and anti-spyware software scanners said the system was clean - how can it be infected with something?" The first thing to understand is that we typically detect infected computers by detecting overt signs that they are infected. For instance, if the computer is scanning for other computers, attempting to break into them or guess passwords on them, or joining a botnet. So if we report that a computer is infected, its because there is something strange, unusual, and/or illegal going on in the first place.

Anti-virus and anti-spyware programs work by comparing the files on the system with signatures for known viruses, spyware, bots, backdoors and so on (collectively known as malware). The anti-virus vendors can't keep up with the flood of new malware being developed day by day, and as a result they can only detect (or recognize) certain specific examples of malware. Some malware also use rootkits to hide their presence on the system.

This question also comes up when people request that we unblock their infected computers. For example, suppose that we detected that a computer joined a botnet and report it to you. You investigate, scan for viruses, find and remove a copy of Blaster, and then request that we unblock the computer because Blaster was removed. We would probably respond that although you've found and removed Blaster (which is good), you haven't found the cause for the botnet connection. Your computer is still infected with something unknown (and apparently undetectable) and we won't generally unblock it.

See also some advice on investigating compromised systems.

Why is the security group urging me to rebuild my computer?

If we're suggesting that you rebuild your computer, its probably because you've run an anti-virus scan and found nothing, and yet we know (most probably from inspecting network traffic) that your computer is infected with something bad. The most likely cause is that its infected with something that the anti-virus software doesn't know about and/or its been hidden with a rootkit.

If you can't find and remove the malicious software that's been installed, the computer will continue to be insecure and will be a threat to others on the network.

Even if you do manage to determine what's been installed on the computer, in many cases rebuilding is a wise and recommended option because you can't be certain that the intruder hasn't also installed other things, such as backdoor programs, keystroke loggers, or rootkits.

They also may have made significant changes to the settings on your computer that disable security features like anti-virus software, or they could have installed extra accounts.

The easiest way to be certain that you've cleaned up the computer is to rebuild it.

Do you have any advice on how to investigate a compromised computer?

Let me start by stating that it can be difficult to fully investigate a compromised computer, especially if you are trying to determine how the computer was compromised or how to disinfect it. There are a variety of ways to hide things on a computer, and it is very easy to miss something that's been installed and hidden. There's also the question of whether the intruders made other configuration changes to your system - have they added accounts, changed passwords, disabled any services (especially security related services) or changed settings for things that might have an adverse impact on your work?

If you're investigating something that your anti-virus software doesn't know about or can't detect, we'd appreciate it if you contacted the OSU Incident Response Team to see whether we'd like to come take a look. We have some other tools that we can bring to bear on the problem that we can't make publicly available.

Note that you can easily fall prey to a false sense of security if you do manage to find something that was installed on the system. You may find one component and remove it, but fail to find other things that were installed, like a backdoor that gives an intruder easy access to the system, or an installed that will reinstall what you removed. We've also had cases where ineffective cleanup attempts angered the intruders, who then came into the system through undetected backdoors and did further damage to systems.

Finally, if you can't determine how the intruder gained access, you won't know what to fix to keep them from gaining access again once you've secured everything.

The following programs may prove useful.

Note that a clean scan does NOT mean that you are not infected with something, it just means that nothing was found - you might still be infected with something that the tools didn't detect.

The Sysinternals site has many useful programs, including Rootkit Revealer, Autoruns, Filemon, Regmon, Handle, Process Explorer, and TCPView.
The Microsoft Malicious Software Removal Tool checks for and removes certain malicious software.
The F-Secure Blacklight program attempts to detect files that are hidden by rootkits.

A few other hints:

It can often be very helpful to search for files that have been modified or created in the last few days or weeks. Sometimes intruders will install new files but only take simple steps to "hide" them. If they don't change the creation or modification times on the files or the directories they are in you might be able to spot them this way.

If you are trying to remove files that the intruder installed, you might want to try it from safe mode if you have difficulty removing it otherwise.

The Ohio State University

www.osu.edu

Main menu