5.2. I've Been Hacked!

If you suspect that your computer has been hacked, unplug it from the network (or disable WiFi), but do not turn it off. Call your local computer security experts, and do not touch the computer until they arrive.

Once a computer has been hacked, that operating system installation is finished. Don't even think about trying to patch your way out of it. The only way to clean a hacked system is by backing up your files, reformatting the hard disk, reinstalling, and changing every password that was ever typed on the computer, whether it was a local password or a password on another computer someone connected to fro the hacked computer.

Antivirus and other antimalware software only detects known malware. If a hacker installs a custom program of their own design, it will not be detected.

There are many sites listing the steps you need to take, but most are incomplete. Below is a fairly comprehensive list.

  1. Unplug the computer from the network to cut off the hacker's access immediately.
  2. Stop using the computer. Especially, do not use the computer to log into any other computers over the network, as you will likely be giving away your passwords to those machines as you type them.
  3. USING A DIFFERENT COMPUTER, immediately change your passwords on every other computer that you have ever connected to from the hacked computer. Every password that has ever been typed on the hacked machine must be changed, as the hacker may have been monitoring all of your keystrokes for a long time before the intrusion was detected. That includes local passwords on the PC as well as passwords entered on the PC to log into remote machines.
  4. If you have IT staff trained in computer security, contact them. They may want to do a forensic analysis on the machine to determine who hacked it and how.
  5. Back up your data files. Note that they may have been corrupted by the hacker, so check them carefully before relying on them.
  6. Do not back up any programs, scripts, installation media, or configuration files. They may be infected with malware and restoring them to the newly installed system will allow the hacker right back in. Antivirus and other antimalware programs do not detect all malware. Don't think for a minute the your computer is clean just because your virus scan didn't find anything. This is foolish wishful thinking that will only cause more problems for you and others around you.
  7. Reformat all disks in the computer and reinstall the operating system from trusted install media. ( Do not use install media that was stored on the hacked computer! )
  8. Do not use any of the same passwords on the new installation. Create new passwords for every user and every application on the computer.
  9. Restore your data files from backup.
  10. Reinstall all programs from trusted installation media.