There are some clues to look for, and I’ll review a few of those, but ultimately, there’s no way for the average computer user to know with any certainty that a hacker is not in the process of weaseling in or that they haven’t done so already.
Perhaps now you’ll understand why I talk so much about prevention.
And I’ll talk about it some more.
Become a Patron of Ask Leo! and go ad-free!
Just what is a “hack”, anyway?
Unfortunately, there’s no consistent definition of “hacked” to use for this exercise.
In general terms, we tend to think of it as someone gaining unauthorized access to information kept on your computer. But that’s not nearly enough to go on for our analysis. We need to answer questions like, “What does it look like?”, “What do we look for?”, and “What exactly happens?”
Someone walking up to your computer and logging in as you because they know your password is a “hack”, but there would be no trace left of it, other than perhaps something in your browser history.
Contrast that with network attacks, in which someone elsewhere on the internet tries to penetrate the software or hardware protecting your computer from external access. While it’s more likely to leave clues, it’s not guaranteed. This is especially true if you access your computer remotely yourself.
Hackers try not to leave clues
A talented hacker strives to leave no trace behind. This is one of the concepts that makes so-called “rootkits” different than more traditional malware: rootkits actually alter your system such that normal ways of looking for files, for example, will not find the rootkit files.
The same is true for just about any aspect of hacking: event logs can be emptied, file date and time stamps can be arbitrarily set or modified, files can be renamed or hidden; even malicious programs can be designed to run as part of some legitimate program or look like a legitimate program themselves.
So, what can you do?
First, protect yourself
This is where I repeat the standard litany of “stay safe” advice:
- Use security software like anti-malware tools.
- Keep your software up to date.
- Know how and when to secure your internet connection.
- Stay educated about the latest threats and safe internet behavior.
Prevention is much more effective by far than any attempt to detect a malicious intrusion, either during or after the event.
If you suspect you have been or are being hacked, the first thing to do is to run scans with your anti-malware tools. Make sure both the programs and their databases are up to date, and run full scans of your entire computer.
After that, things get fairly techie, which is why I said earlier that it’s difficult (if not impossible) for the average computer user to determine what’s happening.
I’ll throw out some ideas, but don’t feel bad if they’re beyond you; this is tough stuff.
Because most malware is communicating over the internet or sending spam, look at the internet activity happening on the machine. Look for programs you don’t recognize sending data to internet endpoints you also don’t recognize. Since there’s so much normal communication happening, you shouldn’t assume they’re evil, but instead research them to the best of your ability.
Because unexplained or unexpected disk activity can be a sign of something going on, use the same strategy for your disk activity. Once again, don’t assume what you find is evil, but use the information for your research.
It’s also worth looking at what’s running on your machine — once again looking for processes you don’t expect and then researching them. The same caveat as before: there are an amazing number of completely legitimate programs running, even on a machine that’s “doing nothing”. Use this information for research.
If you’re feeling particularly adventuresome (and you aren’t the type to panic easily), have a peek at the event viewer. The reason that I admonish the easily panicked not to look here is that there will be errors — lots of them, in fact. That’s normal, because, to put it bluntly, the event log is a mess. Occasionally, however, the mess contains clues. Exactly which clues are there is impossible to predict (remember, I said this was hard), but sometimes they’re helpful.
If you suspect your computer is or has been hacked
If you don’t feel you can trust your computer, stop using it.
At least stop until you can reach a reasonable level of confidence that all is as it should be, and that your next foray to your online banking site won’t result in, shall we say, “unexpected results”. If that means enlisting a techie friend or professional services, it might well be worth it.
Taking the time to secure your machine is important. Again, this is why I’m so adamant about prevention.
It’s significantly easier to prevent disaster than it is to recover from it.