BigGT3Fan

Hi,

I think my 2 machines on my home network have been hacked. Doesn't seem too malicious, after some searching seems like they might be being used for a DOS attack or something. It's just annoying as their performance is affected. Some people have far too much time on their hands

I have two PCs running Windows XP Pro with all the latest patches etc. and latest auto-updating McAfee Viruscan connected to a broadband connection through a LinkSys BEFSR41 router and both are running the latest ZoneAlarm.

I've noticed the PCs are a bit less responsive, and there seems to be disc/lan activity when they're logged off.

Doing netstat-a on each reveals things I wouldn't expect:

1. PC1 is listening on loads of ports at lots of bizarre high numbers
2. PC1 has a netbios-ssn session open to PC2 on port 1088
3. PC1 regularly sends a SYN_SENT to the ip address of Google (this is why I think it's a DOS attack?)
4. PC1 has a connection open on 3389 to PC2 from 1386
5. PC2 has connections on 445 and 1382 to itself
6. PC2 has the netbios connection to PC1 mentioned above and netbios connections to itself?



What can I do to fix this, and given I have a router, zonealarm and all the latest patches why did it happen?



Should I be closing ports on the router, and if so, how?



Thanks,

Alex

Soulgirl

IF youn have xp and mcafee.. what makes you think you;re being hacked. just coz you have lots of activity on ports doesnt mean you have hackers.... you are the same as everyone else.

If you're running slow it coz you probably have a poor net connection.. change your tranx proxie etc.. check here for your safety

https://grc.com/x/ne.dll?bh0bkyd2

Prince Popeye

First things first. Can u speak english rather than geeky computer jargon? Can't understand sh*t. Just come in from pub and reading you're post makes me want to do geek time. Mein Gott you need to get out more.

Soulgirl

You could never guess how far from geeky computer I am Hit the link I gave and follow the instructions!

Nick

Soulgirl, I think he was replying to the OP, not to you.

BigGT3Fan

Hmm, this forum used to be full of helpful people. You've just come in from the pub and gone straight to the SN computer forum, who's the geek? I'm just trying to find someone who can help me fix this problem I discovered as it's impacting my work.

Soulgirl - thanks but I've done all the shields up stuff before. That's why I'm confused, I have a hardware firewall, software firewalls on each PC, automatical virus and software patching so I should be as up to date as I can be. Those systems report me as safe. How do I know I've been hacked - because both my PCs are unresponsive, there's connections all over my network and out of it that are not mine, and specifically both PCs regularly connect to Google.

My knowledge at the low level is not extensive (I'm more at the software engineering / architect level) but they look to me like classic symptoms of my system being used for a DOS attack.

Anyone out there got anything helpful they can offer me please?

Thanks,

Alex

Chris L

Difficult to know Alex. The ports you've quoted don't stand out as known dodgy ports. What I would suggest is have a look at this thread and try some of the programs suggested. My post at the bottom refers to Spy Sweeper. I would recommend getting hold of that and doing thorough scans of both machines.

Firewalls and anti virus don't necessarily stop trojan programs - especially if they are broadcasting out on a known port (i.e. 80)

See what the scans show up.

Chris

BigGT3Fan

Chris, thanks very much, I'm aware that things can still get through, will try that and see what it reports...

Alex

ajm

Windows networks typically send a lot of chuff between the workstations, I would have thought that most of what you are seeing is typical network traffic.

The connection to google is interesting though, I would try and find what process is causing it.

Do a "netstat -ao" and pick out the process ID of the connection, then find the process by doing using "tasklist /FI "PID eq 123"" (where 123 is the actuall PID)

Do you have anything like a google search addon or popup blocker or similar installed?

Also peruse the process list and see if there is anything dodgy running. Run "msconfig" and check nothing suspicous is being run at login.

Fatman

That model of router recently had a firmware revision to iron-out some security vulnerabilities. In addition to anything else you're doing, patch the router with the latest firmware: http://www.linksys.com/download/firmware.asp?fwid=3.

Chris L

If you're stuck - download this Port Explorer. Free ltd time download - this will analyse your open ports and connections.

Chris