Saturday, March 28, 2015

You've Been Hacked ! How to Know if You've Been Hacked !!


You can tell when you've been hacked if you're careful enough!  

Hackers have stooped to an all time low (it's actually an all time high for them of course) when it comes to infecting your systems. Present tools and techniques ensure they are always a step ahead of security measures trying to defend your systems. It's quite easy to know and learn when your system has been compromised. All it takes is a little more attention and observation on your part. 

Why Hackers Want the Use of Your Computer ?


Although we are familiar with the idea that hackers might be seeking our credit card numbers, bank accounts, and identity, some hackers are simply seeking the use of your computer. By infecting thousands, even millions, of computers around the world, they can create what is called a "botnet."
A botnet is simply a network of compromised computers controlled by a single command and control center. I estimate that 30 to 50% of all consumer-level computers are part of one botnet or another.
This botnet can be used for many seemingly innocuous activities and many more malicious ones. Botnets can be used to send spam, crack passwords, conduct distributed denial of service (DDoS) attacks, etc. In all cases, they are using system resources that are not available to you. You will likely detect your own system running sluggishly or erratically.
Let's take a look at how we can detect if such a security breach has taken place on YOUR system.


1. Fake antivirus messages

Among the surest signs that your system has been compromised, this ploy makes use of the fact that by the time people see the fake antivirus warning, considerable damage has already been done. A fake scan is in reality a malicious program's trick to lure people into buying their product. You will more often than not be directed to a professional-looking website on clicking a link provided by the scan where you will many a times give out your credit card number and billing information. In this way, the program will gain complete control over your system while also making full use of your personal financial information.
 
2. Check Task Manager

The first thing to check when you suspect that you have been hacked is your Windows Task Manager. You can access it by hitting Ctrl+Alt+Del on your keyboard and selecting Task Manager at the bottom of the menu that pops up, or just type Task Manager in the run line of your Start menu.

 
When you open the Task Manager and click on the "Processes" tab, you should get a window similar to the one below. Note at the bottom the CPU usage. In this infected machine, the system is sitting idle and CPU usage is spiking near 93%! Obviously, something is going on in this system.
 
 
Below, you will see the same Task Manager on an uninfected system. With the system idle, CPU usage is under 10%.
 

 3. Unwanted browser toolbars
 
Browser toolbars are supposed to help you, however, unless they are coming from a very well-known vendor, they are fake and could entail a hack in near future. 

4. Redirected Internet searches
 
Did you know that hackers are paid to get your clicks to appear on someone else's website. Many a times websites don't know that clicks to their website are in fact from malicious redirection. Adding to the plight is the fact that current redirected Internet searches are securely (pun intended!) hidden from the user through additional proxies. As a result the fake results are never returned that could alert the user for future references. Fake unwanted browser toolbars could also lead to redirection. 

5. Frequent random popups
 
Getting random browser pop-ups from websites that don't normally generate them can be very annoying, but that's only the tip of the ice berg. Frequent random popups is a sure shot sign that your system has been compromised. Bogus toolbars are also one of the primary reasons behind the same.

6. Your friends receive fake emails from your email account
 
Malware programs and hackers often pull out email addresses and contact lists from your social media sites such as Facebook, to send malicious emails to your email contacts. However, in taking the social media route, hackers get a very incomplete list of your contacts' email addresses. However, these bogus emails won't have your email address as the sender. If such a case arises, you're computer is safe. 

7.Your online passwords suddenly change
 
You might have responded to an authentic-looking phish email that purportedly claims to be from the service that ends up with the changed password. In this way, the hacker will gain your logon information, change the password and use the service to carry out his vested interests.

8. Unexpected software installs
 
Most current malware programs are Trojans and worms, and they typically install themselves like legitimate programs. It must be noted that the unwanted software is legally installed by other programs, so its highly advisable to read your license agreements carefully. 

9.Check System Integrity Checker in Windows

Now that we know something is awry on our system, let's delve a bit deeper to see if we can identify it. Very often, malware will embed itself into the system files which would explain why the AV software couldn't detect or remove it. Microsoft builds a system integrity checker into Windows called sfc.exe that should be able to test the integrity of these system files. From Microsoft's documentation, it describes this utility saying:
"System File Checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files."

The idea here is that this tool or utility checks to see whether any changes have been made to the system files and attempts to repair them. Let's try it out. Open a command prompt by right-clicking and choose Run as Administrator. Then type the following command (make sure to press Enter afterward).

sfc /scannow

As you can see from the above screenshot, the malware remains hidden even from this tool.

10. Your mouse moves between programs and makes correct selections 
Mouse pointers moving randomly might usually be due to hardware problems. However, if the movements involve making the correct choices to run particular programs, take note that something is fishy.

11. Your bank account is missing money
 
Usually begins by your computer being compromised stemming from a response to some fake phish from your bank. The hacker logs on to your bank, changes your contact information, and transfers large sums of money.

12. Your antimalware software, Task Manager, or Registry Editor is disabled and can't be restarted
 
You didn't disable your antimalware software but find it disabled. Further, your start Task Manager or Registry Editor won't start, start and disappear, or start in a reduced state. All these are definite signs you've been compromised.
 
13.Check Network Connections with WireShark

If we can install a third-party software for analyzing the connections to our computer, we may be able to identify the communication to and from our computer by some malicious entity. The perfect piece of software for this task is called Wireshark
Wireshark is a free, GUI-based tool that will display all the packets traveling into and out of our computer. In this way, we might be able to identity that pesky malware that is using up all our CPU cycles and making our system so sluggish.
Since Wireshark is an application and not part of the Windows system, it is less likely to be controlled and manipulated by the malware.  Click on you active interface and you should see a screen open like that below.


Wireshark then can capture all the packets traveling to and from your system for later analysis.
The key here is to look for anomalous packets that are not part of your "normal" communication. Of course, it goes without saying that you first should have an idea of what is "normal."
If you haven't looked at your normal communication, you can then filter packets to only look at a subset of all your communication. As attackers often use high number ports to evade detection, you can filter for, say ports 1500-60000. If you have malicious communication taking place, it will likely appear in that port range. Furthermore, let's just look for traffic leaving our system to see whether the malware is "phoning home" on one of those ports.

We can create a filter in Wireshark by typing it into the Filter window beneath the main menu and icons. Filters in Wireshark are a separate discipline entirely and beyond the scope of this article, but I will walk you through a simple one for this purpose here.
In this case here, my IP address is 192.168.1.103, so I type:
ip.src ==192.168.1.103
This filter will only show me traffic FROM my system (ip.src). Since I also want to filter for ports above 1500 and below 60000, I can add:
and tcp.port > 1500 and tcp.port < 60000
The resulting filter will only show me traffic that meets all of these conditions, namely, it should be:
  • Coming from my IP address (ip.src == 192.168.1.103)
  • Coming from one of my TCP ports above 1500 (tcp.port > 1500)
  • Coming from one of my TCP ports below 60000 (tcp.port < 60000)
When I type all of this into the filter window, it turns from pink to green indicating my syntax is correct like in the screenshot below.

 
Now click on the Apply button to the right of the filter window to apply this filter to all traffic. When you do so, you will begin to filter for only the traffic that meets these conditions.
 

Now the key is to look for unusual traffic here that is not associated with "normal" traffic from your system. This can be challenging. To identify the malicious traffic, you will need to type the unknown IP addresses that your machine is communicating with (see the IP addresses in the box) into your browser and check to see whether it is a legitimate website. If not, that traffic should be immediately viewed with some skepticism.
Detecting whether your computer is infected with malware is not necessarily a simple task. Of course, for most, simply relying on antivirus software is the best and simplest technique. Given that this software is imperfect, some of the techniques outlined here may be effective in determining whether you have really been hacked or not.

Monday, March 23, 2015

HP SmartCache Configuration Process


Here, I am using an embedded P420i controller installed in a HP Gen8 Server. I have also updated the controller firmware and ACU version to the latest. I have used the Intelligent Provisioning feature of HP Gen8 Server and launched ACU from these. You can also ACU within the Operating System to configure HP SmartCache.

[ NOTE: If you are using HP Smart Storage Administrator, the interface will be slightly different. But the steps and procedure remains the same. ]

Steps:

1. Open Array Configuration utility on your Server. You can launch HP ACU or HP SSA (HP Smart Storage Administrator) from Intelligent Provisioning or from the Operating system (Windows, Linux etc).


2. Select the HP Smart Array controller from the drop down menu as shown below.


3. As you can see from the below provided image, the HP Smart Array Controller P420 is connected to four 300GB SAS HDDs and two 200 GB Solid State Disk (SSD).



4. Now let us create an Array using two SAS HDDs. To create array, click on Create Array button.
 

 5. Select SAS, select the HDDs and click OK button as shown below.


6. Now the SAS Array A is created. Let us create a new Logical drive on this array.
 
7. Click on Create logical drive button to create a new logical drive.



8. Select the RAID and click on Save (Here, I have selected RAID 1).


9. Now you have successfully created the logical drive in SAS Array A.

 
10. Now I will create one more Array and Logical drive using the remaining SAS HDDs.

11. To Create another Array,  Select Unassigned drives, then click on Create Array button.

 



12. Select SAS, select the HDDs and click on OK button as shown below.

 

13. Now SAS Array B is created. Let us create a new Logical drive in this array.

14. Click on Create Logical drive to create a new Logical drive.



15. Select the RAID level and click on Save button as shown below.


16. Now you have created a the logical drive 2 under SAS array B


17. Now it is the time to enable HP SmartCache on the Controller.

18. Click on the HP Smart Array Controller, then click on Enable HP SmartCache option as shown below.




19. Select the option Solid State SAS, click Save.

[ NOTE: When you create SmartCache, you are not creating any more RAID logical drives on these SSDs. So you do not have to specify any RAID levels here. Moreover, you could not use any unused space on the SSD to create an array or logical drive. In short, once you make a SSD for SmartCache, it cannot be used for any other purpose at the same time. ]


20. You will receive a warning. Click OK in the warning.


21. It will create a new SmartCache Array on your Server as shown below.




22. To assign a SmartCache to a logical drive, select the SmartCache Array C from left pane, click on Create HP SmartCache logical drive button as shown below.





23. Now select the Logical drive for which you want to assign HP SmartCache.

[ NOTE: The recommended SmartCache is 10% of Logical drive as the first logical drive is 279 GB, it is recommended to set SmartCache size of first logical drive as 27.9 GB. ]



 24. Click on Save button once you are done. Now you have successfully created a 27.9 GB of Cache for your Logical drive 1 (RAID 1 with 279 GB).  Good Job


Now let us assign HP SmartCache for logical drive 2. You can repeat Step 23, 24, 25 and select Logical drive 2 to assign HP SmartCache for Logical drive 2. Here, you can try another method assign the HP SmartCache. Whatever the method you follow, the outcome is same.


25. To assign HP SmartCache for Logical Drive 2, here I will show you alternate method.

26. Click on Logical Drive 2 at the left pane of ACU window.

27. Click on Create SmartCache for Logical drive  as shown below.




28. Select the Recommended size option as shown below.




29. Now you have successfully configured HP SmartCache for both Logical Drive 1 and 2




30. Congrats, you have successfully configured HP SmartCache on your Server.

You can notice that we have 316.6 GB of remaining HDD space on HP SmartCache Array C. This space can be used create more SmartCache for future logical drive that you might create. But you can't use this space for any RAID or storage.
  
                                                                  ************

If you would like to know more about HP SmartCache or if you have any doubts, you can always leave a comment here. I will try my level best to answer the questions left by you. 
Thank you for reading.