Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Can I Tell If My Computer Is Being Hacked?

//
How can I tell if my computer is being hacked?

You can’t.

There are some clues to look for, and I’ll review a few of those, but ultimately, there’s no way for the average computer user to know with any certainty that a hacker is not in the process of weaseling in or that they haven’t done so already.

Perhaps now you’ll understand why I talk so much about prevention.

And I’ll talk about it some more.

Become a Patron of Ask Leo! and go ad-free!

Just what is a “hack”, anyway?

Unfortunately, there’s no consistent definition of “hacked” to use for this exercise.

In general terms, we tend to think of it as someone gaining unauthorized access to information kept on your computer. But that’s not nearly enough to go on for our analysis. We need to answer questions like, “What does it look like?”, “What do we look for?”, and “What exactly happens?”

The hand of a hackerSomeone walking up to your computer and logging in as you because they know your password is a “hack”, but there would be no trace left of it, other than perhaps something in your browser history.

Contrast that with network attacks, in which someone elsewhere on the internet tries to penetrate the software or hardware protecting your computer from external access. While it’s more likely to leave clues, it’s not guaranteed. This is especially true if you access your computer remotely yourself.

Hackers try not to leave clues

A talented hacker strives to leave no trace behind. This is one of the concepts that makes so-called “rootkits” different than more traditional malware: rootkits actually alter your system such that normal ways of looking for files, for example, will not find the rootkit files.

The same is true for just about any aspect of hacking: event logs can be emptied, file date and time stamps can be arbitrarily set or modified, files can be renamed or hidden; even malicious programs can be designed to run as part of some legitimate program or look like a legitimate program themselves.

So, what can you do?

First, protect yourself

This is where I repeat the standard litany of “stay safe” advice:

  • Use security software like anti-malware tools.
  • Keep your software up to date.
  • Know how and when to secure your internet connection.
  • Stay educated about the latest threats and safe internet behavior.

Prevention is much more effective by far than any attempt to detect a malicious intrusion, either during or after the event.

Clues

If you suspect you have been or are being hacked, the first thing to do is to run scans with your anti-malware tools. Make sure both the programs and their databases are up to date, and run full scans of your entire computer.

After that, things get fairly techie, which is why I said earlier that it’s difficult (if not impossible) for the average computer user to determine what’s happening.

I’ll throw out some ideas, but don’t feel bad if they’re beyond you; this is tough stuff.

Because most malware is communicating over the internet or sending spam, look at the internet activity happening on the machine. Look for programs you don’t recognize sending data to internet endpoints you also don’t recognize. Since there’s so much normal communication happening, you shouldn’t assume they’re evil, but instead research them to the best of your ability.

Because unexplained or unexpected disk activity can be a sign of something going on, use the same strategy for your disk activity. Once again, don’t assume what you find is evil, but use the information for your research.

It’s also worth looking at what’s running on your machine — once again looking for processes you don’t expect and then researching them. The same caveat as before: there are an amazing number of completely legitimate programs running, even on a machine that’s “doing nothing”. Use this information for research.

If you’re feeling particularly adventuresome (and you aren’t the type to panic easily), have a peek at the event viewer. The reason that I admonish the easily panicked not to look here is that there will be errors — lots of them, in fact. That’s normal, because, to put it bluntly, the event log is a mess. Occasionally, however, the mess contains clues. Exactly which clues are there is impossible to predict (remember, I said this was hard), but sometimes they’re helpful.

If you suspect your computer is or has been hacked

If you don’t feel you can trust your computer, stop using it.

At least stop until you can reach a reasonable level of confidence that all is as it should be, and that your next foray to your online banking site won’t result in, shall we say, “unexpected results”. If that means enlisting a techie friend or professional services, it might well be worth it.

Taking the time to secure your machine is important. Again, this is why I’m so adamant about prevention.

It’s significantly easier to prevent disaster than it is to recover from it.

Podcast audio

Play

16 comments on “How Can I Tell If My Computer Is Being Hacked?”

  1. Well, everyone’s first step should be to hire my wife and have her check it out. 🙂

    A few more signs that your system has been compromised…

    * You can’t get to Windows Update, or it always fails to determine if any updates are available.

    * Your anti-virus/anti-malware programs can’t get updates. Or you can’t get to any of the major AV sites.

    * Your internet connection is “mostly” fine, but you can’t get to some websites. In particular, sites for download/discussing anti-virus/anti-malware programs. For example, you can’t get to majorgeeks.com or bleepingcomputer.com

    * Your anti-virus/anti-malware programs “mysteriously” crash.

    Many forms of malware actively try to prevent the “good” programs from running or getting updates, to prevent them from removing the infection.

  2. >I’m always curious as to what techniques people use when they feel that their computer might be compromised

    A hacker can do anything they want with your machine, except get physical access. I would turn the machine off. Then you can stop panicking and rushing to do everything. The hacker cannot turn it back on (all though I have no idea what ‘turn on via LAN’ or those type options do) and you are safe. Now, you can research, using another machine, at your leisure, what to do about the situation.

    But the first thing to do if you’re computer has been violated is turn it off (or even unplug it).

    An alternative solution could be to unhook the internet cable.

    Also, since Windows machines seem to need to be re-installed every couple of years, you can clean your machine by using this opportunity to do your bi-annual installation.

  3. I’m confused and paranoid. Let’s say I have my firewall on and all anti-malware is installed and current. Now further suppose that my computer was hacked and the hacker was able to get personal information like passwords, contact lists, account numbers, etc. But I’m not aware that I’ve been hacked. Even if I happen to be one of those people who formats his hard drive and reinstalls his operating system and programs every 6 months or so, if my ISP remains the same, my router or modem remains the same, and I use the same firewall and anti-malware that allowed me to be hacked in the first place, wouldn’t my computer still be vulnerable to that same hacker?

    That’s an unanswerable question. “If I got hacked once could I get hacked again?” – of course the answer is yes. But without knowing exactly WHAT allowed the hacker in the first time there’s no way to know if you’ve done anything to prevent him from returning. So – maybe, maybe not.

    Leo
    01-May-2011
  4. Ben-
    My guess is no. Even if you think you did everything the same as the first time, updates have been released since then.

    Whatever vulnerability that allowed you to be hacked probably affected LOTS of other people. By the time you knew you had a problem, Microsoft probably already had a patch available to prevent it from happening again. You will get the patch automatically when you finish reinstalling your Windows.

    Your anti-malware that didn’t protect you the first time will also get an update and be more capable in the future.

    The scenario you describe is pretty unlikely anyway. If your Windows and anti-malware is up-to-date, and you are using a router, and you STILL get hacked, I think there is a 99% chance that a user of YOUR computer was complicit in the hacking by installing unknown software or allowing a website to install it. Then the way to prevent it from happening again is don’t make the mistake again!

  5. On several occasions I’ve had the feeling that someone was evesdropping on my internet connection. Fortunately, nothing malicious was happening — just annoying and silly things to frustrate my usage. The more I tried to do “x” the more difficult it would be. It was like someone was watching what I was doing and getting a kick out of throwing hazards in my way and I could just see them sitting back laughing at my feeble attempts to accomplish the things I had to do. I suspected Remote Assistance on several occasions and did what I could to disable it. I’ve done several other things to try and stop the problem ranging from reformatting the hard drive, to calling Microsoft to report it and get help, to disconnecting the computer from the phone jack, to turning the computer off for an hour or so … you name it and I’ve tried it. I saw an immediate improvement when I disconnected the computer from the phone jack and it was the easiest thing to do. After ten minutes or so, I plugged it back in and went on with whatever I was doing without the difficulties. I don’t want to jinks it, but I haven’t had the problem in a while, and I’m hoping that whoever was annoying me finally got their driver’s license and now they can date. It was that childish.

  6. Many people who have been hacked will find their traditional antivirus, anti-malware and process viewing tools compromised and providing false feedback. A hacker of the kind that leaves Jeff paranoid would not want to tip off the user that something is wrong. Hostage-ware hacks, on the other hand, intentionally disable things the user would notice. The hidden kind are by far the hardest to deal with. I assume that everything running in a hacked machine’s native environment is lying to me. Most of the hacks and rootkits I have encountered were specifically designed to hide from Windows, so running tools in a non-Windows environment often lays them bare. I use a boot disk (usually BartPE) loaded with some partitioning and process tracking tools which don’t rely on Windows to run.

    Compare a CD-launched process viewer with the one running on the compromised machine to see what’s different and then do some research to see why. A partitioning tool can reveal a small place on the drive used to store the hacking tools. A registry cleaner can sometimes identify where hidden files are because it cannot link the registry entry to the hidden file and will identify it as an obsolete key. I even found one by accident when I turned up a deleted FTP log file using a data recovery/undelete software. The guy wanted accidentally deleted pictures of his daughter’s birthday party recovered. I got back the pictures and discovered a keylogger and probable rootkit in the process. Prior to that there was no sign at all that anything was amiss.

    What I hate most about these things is that I never feel sure I really got it all. The best we can do is clean what we find, update and patch everything, beware of what you type, and hope for the best.

  7. To determine if a machine is infected with malware, the Process Explorer is a useful initial and quick tool; monitoring the data transfer rate in quiescence using Network Connections or Local Area Connection Status can also provide useful information (as can some firewalls, such as Comodo). For an in-depth analysis, my tool of choice is Trend Micro’s HijackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol;1), with analysis it at: http://www.ghacks.net/2008/02/08/hijackreader-analyse-hijackthis-results/ Many consider this the ‘gold standard.’

    When attempting to disinfect a Windows rig suspected of harboring malware, the procedure I invariably employ is to scan with at least one (usually more) third-party on-demand scanners, typically beginning with Malwarebytes Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1). If anything is found (or an infection still suspected), a full scan with SUPERAntiSpyware (http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=rb_content) would follow. Finally, a scan with Hitman Pro (http://download.cnet.com/Hitman-Pro-3-32-bit/3000-2239_4-10895604.html?tag=mncol;1) adds a very high degree of confidence. (Since on occasion a valid process may be tagged as malware, it is ALWAYS a good idea to backup all data, and set a Restore Point before beginning each scan. Also, as Leo points out, the latest version of the scanner is always employed, and the database updated immediately before starting the scan). I have yet to encounter a machine that gave any indication of infection after using these utilities.

    (NOTE: Since running more than one anti-malware app at a time can really slow things down, I always temporarily disable the resident real-time scanner while performing the on-demand scans. Sometimes, a particular infection requires the on-demand scanners be installed – and run – in Safe Mode.)

  8. Turn on via LAN(Or ‘Wake up via LAN’) is where if you put your computer to sleep(i think it only applies to that), you can turn it back on with another device. For me though, I look at how my computer acts – if it’s super slow, or is unstable. Or i’ll look at the hard drive activity light. that’s a few ways i do it.

  9. I have found an unauthorized password protected network has been set up on my computer by a housemate. How does this happen? Can it be accidental, somehow? Appears to be from their laptop, but I have had other people access my wifi without a network being set up. Whay can cause this and what can I do about it?
    Did a search on AskLeo and brought me to this page, which did not answer my question. Can u?

  10. What is the best software to prevent computer has been hacked or not. It become busy and difficult to download data for research articles. Thank you

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.