0

I think my home computer has been compromised. My question is, does my intruder have access to my computer if I set the firewall to block all traffic? Will editing documents in this mode prevent him from seeing what I'm doing, for the duration of the firewall being set this way?

Also, how is the actual penetration being done? Is it through the IP that you get from your ISP? Would installing a VPN on top of a compromised system prevent the intruder from gaining access, since your IP would change/be masked? Or does it change?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Dave
  • 29
  • 3
  • 3
    To ask "How did the attack happend?" is like asking "How did the fire start?". While you could make guesses, it would require careful study of the burned down house by a professional to deliver a solid answer. – Anders Jul 11 '16 at 08:58
  • 5
    Welcome on Security SE. The fact that this question is about a personal computer and not a server does not alter the relevancy of the linked question. The fact is that once your machine has been compromised, it is not your machine anymore and you cannot trust it nor the commands implemented on it. How do you know that the `Block All Traffic` will really block all traffic and hasn't been altered in a way to still allow some traffic hidden to usual commands? How do you know that there is not some software hidden somewhere who will temporarily reset the settings just the time to exchange data?... – WhiteWinterWolf Jul 11 '16 at 09:08
  • I would argue that the linked question is indeed relevant, but there should be another canonical answer just for personal computers, since many of the steps in the linked answer do not make sense for a pc. See discussion here: http://meta.security.stackexchange.com/questions/2382/do-we-need-a-canonical-question-as-dupe-target-for-help-my-computer-has-a-viru – hamena314 Jul 12 '16 at 07:42
  • Anders, I meant, how is the CURRENT penetration, in a compromised system happen? I understand they first get in via wifi, then gain more and more access. But after everything is compromised, how do they access my computer? – Dave Jul 12 '16 at 16:20

2 Answers2

1

set the firewall to BLOCK ALL TRAFIC...

If you manage to set the firewall to block all incoming and outgoing traffic then you cut off the access for the attacker as long as the firewall is set in this mode. But note that if the attacker is already on your system he might have installed software to monitor the system and can later retrieve the collected information once he gets access again. Also, if the attacker has compromised your system you cannot trust it anymore and cannot even be sure that firewall settings shown on the system actually reflect the real status of the firewall.

Also, how is the actual penetration being done?

It is impossible to say with the current information how the information was done on your system. But desktop systems usually get infected because you "invite" the attacker by reading mails, surfing to web sites etc. And in this case a VPN will not help because the attack is not done from outside against your specific IP address but is done by executing code from inside a mail or web site.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I understand. If the firewall works correctly, will netstat show no connections to my computer? How did I invite the hacker, did I accidentally click on a Trojan? This is a specific attack, done by a specific person, that I know. It's not a random attack. Again, I'm very new to this, so I understand very little. – Dave Jul 11 '16 at 08:29
  • @Dave: How should I know that the attack worked in your specific case? You might have clicked on the mail, visited some web site, whatever. And if the attacker has compromised your system you cannot trust netstat anymore. – Steffen Ullrich Jul 11 '16 at 14:09
1

If an attacker has managed to install software on your PC, that software can initiate a connection to an outside system, unless you have configured your firewall to block outgoing traffic as well. This connection can carry back data to your PC, even through your firewall, the same way a web browser receives data from a web server.

And if you block outgoing traffic... well, there's no surfing the Internet. So basically if you don't know what has been done to your system, the only secure way is to re-install it from scratch.

Jeroen Landheer
  • 111
  • 3