How can you tell if your computer system is being attacked? Are you noticing something odd about your system’s behavior? Chances are your system might be compromised. Signs your system may have been compromised include:
- Exceptionally slow network activity, disconnection from network service or unusual network traffic.
- A system alarm or similar indication from an intrusion detection tool
- Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods)
- Accounting discrepancies (e.g., someone notices an 18-minute gap in the accounting log in which there is no correlation)
- Unsuccessful logon attempts
- New user accounts of unknown origin
- Unusual log entries such as network connections to unfamiliar machines or services, login failures.
- New files of unknown origin and function
- Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files
- Unexplained addition, deletion, or modification of data
- Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console
- System crashes
- Poor system performance – System appears to be slower than normal and less responsive than expected. (Note: Unexplained disk activity might be due to disk-related system maintenance such as disk file clean-up while the system is idle, this is completely normal.)
- Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords
- Port Scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts)
- Unusual usage times (statistically, more security incidents occur during non-working hours than any other time)
- An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account
- Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)