Help - Think I've been hacked!
#1
Help - Think I've been hacked!
Hi,
I think my 2 machines on my home network have been hacked. Doesn't seem too malicious, after some searching seems like they might be being used for a DOS attack or something. It's just annoying as their performance is affected. Some people have far too much time on their hands
I have two PCs running Windows XP Pro with all the latest patches etc. and latest auto-updating McAfee Viruscan connected to a broadband connection through a LinkSys BEFSR41 router and both are running the latest ZoneAlarm.
I've noticed the PCs are a bit less responsive, and there seems to be disc/lan activity when they're logged off.
Doing netstat-a on each reveals things I wouldn't expect:
1. PC1 is listening on loads of ports at lots of bizarre high numbers
2. PC1 has a netbios-ssn session open to PC2 on port 1088
3. PC1 regularly sends a SYN_SENT to the ip address of Google (this is why I think it's a DOS attack?)
4. PC1 has a connection open on 3389 to PC2 from 1386
5. PC2 has connections on 445 and 1382 to itself
6. PC2 has the netbios connection to PC1 mentioned above and netbios connections to itself?
What can I do to fix this, and given I have a router, zonealarm and all the latest patches why did it happen?
Should I be closing ports on the router, and if so, how?
Thanks,
Alex
I think my 2 machines on my home network have been hacked. Doesn't seem too malicious, after some searching seems like they might be being used for a DOS attack or something. It's just annoying as their performance is affected. Some people have far too much time on their hands
I have two PCs running Windows XP Pro with all the latest patches etc. and latest auto-updating McAfee Viruscan connected to a broadband connection through a LinkSys BEFSR41 router and both are running the latest ZoneAlarm.
I've noticed the PCs are a bit less responsive, and there seems to be disc/lan activity when they're logged off.
Doing netstat-a on each reveals things I wouldn't expect:
1. PC1 is listening on loads of ports at lots of bizarre high numbers
2. PC1 has a netbios-ssn session open to PC2 on port 1088
3. PC1 regularly sends a SYN_SENT to the ip address of Google (this is why I think it's a DOS attack?)
4. PC1 has a connection open on 3389 to PC2 from 1386
5. PC2 has connections on 445 and 1382 to itself
6. PC2 has the netbios connection to PC1 mentioned above and netbios connections to itself?
What can I do to fix this, and given I have a router, zonealarm and all the latest patches why did it happen?
Should I be closing ports on the router, and if so, how?
Thanks,
Alex
#2
Scooby Regular
Join Date: Dec 2002
Location: Here!
Posts: 5,145
Likes: 0
Received 0 Likes
on
0 Posts
IF youn have xp and mcafee.. what makes you think you;re being hacked. just coz you have lots of activity on ports doesnt mean you have hackers.... you are the same as everyone else.
If you're running slow it coz you probably have a poor net connection.. change your tranx proxie etc.. check here for your safety
https://grc.com/x/ne.dll?bh0bkyd2
If you're running slow it coz you probably have a poor net connection.. change your tranx proxie etc.. check here for your safety
https://grc.com/x/ne.dll?bh0bkyd2
#3
First things first. Can u speak english rather than geeky computer jargon? Can't understand sh*t. Just come in from pub and reading you're post makes me want to do geek time. Mein Gott you need to get out more.
#6
Originally Posted by Prince Popeye
First things first. Can u speak english rather than geeky computer jargon? Can't understand sh*t. Just come in from pub and reading you're post makes me want to do geek time. Mein Gott you need to get out more.
Soulgirl - thanks but I've done all the shields up stuff before. That's why I'm confused, I have a hardware firewall, software firewalls on each PC, automatical virus and software patching so I should be as up to date as I can be. Those systems report me as safe. How do I know I've been hacked - because both my PCs are unresponsive, there's connections all over my network and out of it that are not mine, and specifically both PCs regularly connect to Google.
My knowledge at the low level is not extensive (I'm more at the software engineering / architect level) but they look to me like classic symptoms of my system being used for a DOS attack.
Anyone out there got anything helpful they can offer me please?
Thanks,
Alex
#7
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Difficult to know Alex. The ports you've quoted don't stand out as known dodgy ports. What I would suggest is have a look at this thread and try some of the programs suggested. My post at the bottom refers to Spy Sweeper. I would recommend getting hold of that and doing thorough scans of both machines.
Firewalls and anti virus don't necessarily stop trojan programs - especially if they are broadcasting out on a known port (i.e. 80)
See what the scans show up.
Chris
Firewalls and anti virus don't necessarily stop trojan programs - especially if they are broadcasting out on a known port (i.e. 80)
See what the scans show up.
Chris
Trending Topics
#8
Originally Posted by Chris L
Firewalls and anti virus don't necessarily stop trojan programs - especially if they are broadcasting out on a known port (i.e. 80)
See what the scans show up.
Chris
See what the scans show up.
Chris
Alex
#9
Scooby Regular
Join Date: Sep 2002
Location: The biosphere
Posts: 7,824
Likes: 0
Received 0 Likes
on
0 Posts
Windows networks typically send a lot of chuff between the workstations, I would have thought that most of what you are seeing is typical network traffic.
The connection to google is interesting though, I would try and find what process is causing it.
Do a "netstat -ao" and pick out the process ID of the connection, then find the process by doing using "tasklist /FI "PID eq 123"" (where 123 is the actuall PID)
Do you have anything like a google search addon or popup blocker or similar installed?
Also peruse the process list and see if there is anything dodgy running. Run "msconfig" and check nothing suspicous is being run at login.
The connection to google is interesting though, I would try and find what process is causing it.
Do a "netstat -ao" and pick out the process ID of the connection, then find the process by doing using "tasklist /FI "PID eq 123"" (where 123 is the actuall PID)
Do you have anything like a google search addon or popup blocker or similar installed?
Also peruse the process list and see if there is anything dodgy running. Run "msconfig" and check nothing suspicous is being run at login.
#10
That model of router recently had a firmware revision to iron-out some security vulnerabilities. In addition to anything else you're doing, patch the router with the latest firmware: http://www.linksys.com/download/firmware.asp?fwid=3.
#11
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
If you're stuck - download this Port Explorer. Free ltd time download - this will analyse your open ports and connections.
Chris
Chris
Thread
Thread Starter
Forum
Replies
Last Post
mega_stream
Computer & Technology Related
7
03 April 2002 09:18 PM
TonyBurns
ScoobyNet General
44
15 September 2001 06:14 PM