Whenever there’s an intrusion into a system (human or malware), it makes a lot of changes in various parts of the affected system. The intrusion might create new files or delete existing ones, change Registry entries, modify user accounts, and so on.
Following are some of the signs of a possible intrusion:
1. Login failures for valid users :
In case of an intrusion or a compromise, the passwords of valid active users on the system may be changed or the accounts may be locked.
2. Active unused accounts :-
Each system has some accounts that are rarely used. Such accounts include the system user accounts used for specific purposes. During or after an intrusion, such unused user accounts may appear to be active. Attackers often use such dormant accounts to get into the system.
3. Login during non business hours :-
Every system maintains a record of the last login time for each user account. If there are couple of accounts whose last login is frequent during non business hours, it may be a sign of an intrusion.
4. Unusual system performance :-
Let’s assume an organization has a server which was running with 40% CPU consumption since last two months. Suddenly over a weekend the CPU consumption shoots to 95%. This might be a sign of intrusion. There’s another server that is frequently crashing and rebooting since last couple of days. This again could be due to some kind of malicious intrusion.
5. Strange timestamps :-
Every file and folder on the system has a timestamp associated with it, which includes the date and time when it was created, last modified, and accessed. If multiple files on the file system are showing strange and outdated timestamps, then it’s a clear indication that some malicious program has tampered with the system.
6. Unknown processes and ports :-
On a compromised system after a successful intrusion, there may be many unknown processes and ports open for connection with unknown remote hosts.