Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 02-15-2005, 06:58 PM   #11
Solid State Member
 
Join Date: Feb 2005
Posts: 9
Default Re: I want to know why I am being hacked

I have Nortons 2005 installed, always have had. I have windows XP with sp2,
In the Nortons worm protection settings there has been some rules put in by "user" which I didn't put in as I have only just found them, I didn't know anything about these settings till this week.
Nortons
Options
Internet Worm Protection
Program Control---there are are few to permit: a couple that I don't know are ipscan[1] and tiscali dialer plus others

Then under general rules there are 10 rules about permitting a whole lot things that i don't understand.

If you then go to the Nortons main window and choose reports-view activity log-connections, it mostly has my IP address connecting to whatever site. But on the 12Feb it has a different IP address connecting to sites (like hotmail and others) for about 90minutes.

Then on the system log : it has that is is protecting my system to a "newly detected network on adapter with my IP address mostly. But on the 12thFeb a new entry that I have never seen before it was protecting to a newly detected network adapter "WAN(PPP/SLIP) interface (IP address is this new one"

{I have talked to my ISP and they say that because I was connected to this new IP address that they cannot help because I was not on there network}

Then on the Alerts log it has 5 rules that "the user has created a rule to permit communication"

11/11/04: permit Inbound UDP local address service is my IP. remote address service is another IP address. process name is msnmsgr.exe

15/11/04: permit inbound TCP communication local address is my IP. remote address is another IP (similar to the one above). process name svchost.exe

27/12/04 permit TCP inbound communication. local and remote are my IP

24/1/05 permit inbound UDP packets local address 0.0.0.0 remote is yet another IP with netbios. process name is ipscan[1].exe
24/1/05 similar to the one above with a slighty different IP.

There was an entry somewhere about the newly detected adapter being a server of somesort (google search)

I could delete all these entries, but I want to know what is happening, rather than delete and forget.

Windows pfirewall log matches up, but with more detail (I think).

On that night of the 12thFeb, there was so much logging going on, so much more than usual. I saved some of the Nortons logs in word and one document is 1038pages just for that night, and it is in the 8 size font.

There is more, but this quick overview seems like alot.
So I would love it if you could tell me I am just paranoid and it is nothing, and I will continue on. I am too scared to connect that PC to the internet. So I am using this old old old computer on dial up and trying to leave my broadband alone!
__________________

jacktruck is offline   Reply With Quote
Old 02-17-2005, 02:12 PM   #12
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: I want to know why I am being hacked

http://www3.ca.com/securityadvisor/p....aspx?id=42957

you'll probably find that you have some kind of virus, the vast amount of activity are the virus/worm trying to infect other systems...

when your computer was trying to connect to lots of machines what port was it trying to connect on?
__________________

root is offline   Reply With Quote
Old 02-17-2005, 02:59 PM   #13
Solid State Member
 
Join Date: Feb 2005
Posts: 9
Default Re: I want to know why I am being hacked

I have run Maccaffee stinger and nortons full scan. The log entry for Nortons activities is the same for page after page after page

Rule "default inbound Bootp" blocked (10.49.0.1,bootpc(68)).
Occasionally saying that various symantec shared folders are entering like ccLgView.exe and ccApp.exe and LuComServer_2_6.exe
and NDIS filtering is enabled
jacktruck is offline   Reply With Quote
Old 02-17-2005, 03:19 PM   #14
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: I want to know why I am being hacked

don't worry about port 68, its a boot DHCP, a perfectly harmless service.it's a bit unusual that it's comming from the internet rather than a local network, but I seriously doubt it's a hacking attempt.
root is offline   Reply With Quote
Old 02-17-2005, 03:26 PM   #15
Mal
In Runtime
 
Mal's Avatar
 
Join Date: Jan 2005
Posts: 221
Default Re: I want to know why I am being hacked

i've had alerts related to ccApp.exe and luComServer since i've installed N 2005 back in october too. my alerts certainly weren't like yours though, I did have crazy internet traffic one day but that was due to a bug I picked up from "NetStat" the ip monitor program. got rid of that and all has been fine though so good luck in finding out what did yours. Mine did come from a local network, and like root says, online one is strange.
Mal is offline   Reply With Quote
Old 02-20-2005, 07:44 AM   #16
Solid State Member
 
Join Date: Feb 2005
Posts: 9
Default

The IP address it comes from 10.49.0.1. On a google look up of that IP address, this IP is used in a tracing route to something called speakeasy.
It doesn't stop, the log files have it every 2 minutes. And the ccLgView.exe preparing to access the internet all the time. It changed to this IP address after the night of funny activity after I blocked 10.20.17.49

This is the log entries of nortons for the activities log on the night of weird activity: I have never seen the logs files look like this.

2/12/2005 5:02:52 AM,An instance of "C:\WINDOWS\System32\rasautou.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\rasautou.exe" is preparing to access the Internet.
2/12/2005 5:01:50 AM,An instance of "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" is preparing to access the Internet.
2/12/2005 4:07:34 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 3:59:06 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 3:39:59 AM,An instance of "C:\WINDOWS\system32\rasphone.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\system32\rasphone.exe" is preparing to access the Internet.
2/12/2005 3:26:34 AM,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.
2/12/2005 3:24:32 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 3:13:45 AM,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.
2/12/2005 3:12:22 AM,An instance of "C:\Program Files\MSN Messenger\msnmsgr.exe" is preparing to access the Internet.,An instance of "C:\Program Files\MSN Messenger\msnmsgr.exe" is preparing to access the Internet.
2/12/2005 3:12:11 AM,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.
2/12/2005 3:08:03 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 3:06:04 AM,An instance of "C:\Program Files\Messenger\msmsgs.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Messenger\msmsgs.exe" is preparing to access the Internet.
2/12/2005 3:06:00 AM,An instance of "C:\WINDOWS\system32\rasphone.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\system32\rasphone.exe" is preparing to access the Internet.
2/12/2005 3:00:57 AM,An instance of "C:\Program Files\NetMeeting\conf.exe" is preparing to access the Internet.,An instance of "C:\Program Files\NetMeeting\conf.exe" is preparing to access the Internet.
2/12/2005 2:56:57 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 2:55:27 AM,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.
2/12/2005 2:47:01 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 2:43:57 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 2:43:54 AM,An instance of "C:\Program Files\Microsoft Office\Office\WINWORD.EXE" is preparing to access the Internet.,An instance of "C:\Program Files\Microsoft Office\Office\WINWORD.EXE" is preparing to access the Internet.
2/12/2005 2:13:35 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 2:11:57 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 2:11:21 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 2:08:52 AM,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.
2/12/2005 1:55:43 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 1:54:47 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 1:44:37 AM,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Outlook Express\msimn.exe" is preparing to access the Internet.
2/12/2005 1:42:09 AM,An instance of "C:\Program Files\Common Files\Symantec Shared\ccLgView.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Common Files\Symantec Shared\ccLgView.exe" is preparing to access the Internet.
2/12/2005 1:40:22 AM,An instance of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" is preparing to access the Internet.
2/12/2005 1:38:36 AM,An instance of "C:\Program Files\Symantec\LiveUpdate\LuComServer_2_6.EXE" is preparing to access the Internet.,An instance of "C:\Program Files\Symantec\LiveUpdate\LuComServer_2_6.EXE" is preparing to access the Internet.
2/12/2005 1:37:59 AM,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Internet Explorer\iexplore.exe" is preparing to access the Internet.
2/12/2005 1:37:35 AM,An instance of "C:\Program Files\MSN Messenger\msnmsgr.exe" is preparing to access the Internet.,An instance of "C:\Program Files\MSN Messenger\msnmsgr.exe" is preparing to access the Internet.
2/12/2005 1:36:58 AM,An instance of "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" is preparing to access the Internet.
2/12/2005 1:36:56 AM,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.
2/12/2005 1:35:27 AM,An instance of "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" is preparing to access the Internet.
2/12/2005 1:35:23 AM,An instance of "C:\WINDOWS\Explorer.EXE" is preparing to access the Internet.,An instance of "C:\WINDOWS\Explorer.EXE" is preparing to access the Internet.
2/12/2005 1:35:23 AM,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.
2/12/2005 1:34:46 AM,An instance of "C:\WINDOWS\System32\alg.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\alg.exe" is preparing to access the Internet.
2/12/2005 1:34:39 AM,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.
2/12/2005 1:34:36 AM,An instance of "C:\WINDOWS\system32\lsass.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\system32\lsass.exe" is preparing to access the Internet.
2/12/2005 1:34:34 AM,Internet Worm Protection configuration updated: 101 rules.,Internet Worm Protection configuration updated: 101 rules.
2/12/2005 1:34:34 AM,NDIS filtering is enabled.,NDIS filtering is enabled.
2/12/2005 12:29:14 AM,An instance of "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" is preparing to access the Internet.,An instance of "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" is preparing to access the Internet.
2/12/2005 12:29:10 AM,An instance of "C:\WINDOWS\Explorer.EXE" is preparing to access the Internet.,An instance of "C:\WINDOWS\Explorer.EXE" is preparing to access the Internet.
2/12/2005 12:29:10 AM,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.


Continued in next message......
jacktruck is offline   Reply With Quote
Old 02-20-2005, 07:46 AM   #17
Solid State Member
 
Join Date: Feb 2005
Posts: 9
Default

this is a continuation of the last reply.......





2/12/2005 12:26:53 AM,An instance of "C:\WINDOWS\System32\alg.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\alg.exe" is preparing to access the Internet.
2/12/2005 12:26:46 AM,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\System32\svchost.exe" is preparing to access the Internet.
2/12/2005 12:26:43 AM,An instance of "C:\WINDOWS\system32\lsass.exe" is preparing to access the Internet.,An instance of "C:\WINDOWS\system32\lsass.exe" is preparing to access the Internet.
2/12/2005 12:26:40 AM,NDIS filtering is enabled.,NDIS filtering is enabled.
2/12/2005 12:26:41 AM,Internet Worm Protection configuration updated: 101 rules.,Internet Worm Protection configuration updated: 101 rules.

This is the activities log in Nortons just before my computer was hooked up to another server and the log of that is below:

2/12/2005 5:02:50 AM,IP address 10.20.17.49 has disappeared and is no longer being protected.,IP address 10.20.17.49 has disappeared and is no longer being protected.
2/12/2005 3:40:07 AM,Protecting your connection to a newly detected network on adapter "WAN (PPP/SLIP) Interface" (IP address: 10.20.17.49).,Protecting your connection to a newly detected network on adapter "WAN (PPP/SLIP) Interface" (IP address: 10.20.17.49).
2/12/2005 3:08:49 AM,IP address 10.20.17.49 has disappeared and is no longer being protected.,IP address 10.20.17.49 has disappeared and is no longer being protected.
2/12/2005 3:06:08 AM,Protecting your connection to a newly detected network on adapter "WAN (PPP/SLIP) Interface" (IP address: 10.20.17.49).,Protecting your connection to a newly detected network on adapter "WAN (PPP/SLIP) Interface" (IP address: 10.20.17.49).
2/12/2005 1:36:41 AM,Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC" (IP address: 210.49.216.233).,Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC" (IP address:210.49.216.233).
2/12/2005 1:35:34 AM,User logged in.,User logged in.
2/12/2005 1:34:34 AM,Internet Worm Protection setting "Port Block Allow NetBIOS" changed.,"Internet Worm Protection setting ""Port Block Allow NetBIOS"" changed. Old Value: 1. New Value: 0."
2/12/2005 1:31:14 AM,No user is logged in.,No user is logged in.
2/12/2005 12:29:16 AM,User logged in.,User logged in.
2/12/2005 12:26:41 AM,Internet Worm Protection setting "Port Block Allow NetBIOS" changed.,"Internet Worm Protection setting ""Port Block Allow NetBIOS"" changed. Old Value: 1. New Value: 0."



Does anyone know why the log files are weird for this time period above and they are not anything like that now.
jacktruck is offline   Reply With Quote
Old 02-20-2005, 08:08 AM   #18
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: I want to know why I am being hacked

the first thing that strikes me is that 10.49.0.1 is not a valid IP address, I don't know how you traced this to speak easy ( i assume http://www.speakeasy.net/)

Acording to section 3 of RFC 1918 (internet usage and numbers) 10.0.0.0 - 10.255.255.255 are reserved for private networks.
Tracing using whois confirms that this network block is black holedby IANA,
trying to ping this network does take packets outside my frewall (since it's not a local address) but the packets soon die as they cannot be routed.

as for your logs...

unless you were accessing the internet the rasaautou.exe process is concerning, and could point to a some kin of trojan dialer. http://www.auditmypc.com/process/rasautou.asp

vsmon:
some people think this is a virus
http://www.auditmypc.com/process/vsmon.asp

but others think it is a Zone alarm feature


Once the internet conection has been established, there is nothing unusual about outlook express(msimn.exe) or internet explorer (iexplorer.exe) accessing the internet.

lsass.exe (in this case c:\windows\system32\0 is a system process and nothing to worryabout.
Symantxe software always accesses the internet its to do with live update etc...

rasphone.exe is a process used in establishing dialup connections...
in short I doubt you've been hacked, but you might find that you have some kind of trojan dialer, (unless you are a dialup user and were using the internet at that tmie)
root is offline   Reply With Quote
Old 02-20-2005, 08:11 AM   #19
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: I want to know why I am being hacked

the part at the very bottom of the second post is very weird, you should make sure that any ports you are not using are blocked...
to check this go to www.grc.com and take the shields up test, this will let you know what ports are open.
root is offline   Reply With Quote
Old 02-21-2005, 01:34 AM   #20
Solid State Member
 
Join Date: Feb 2005
Posts: 9
Default Re: I want to know why I am being hacked

Thankyo so much for looking at the logs. The part I think you mean about the netbios is strange and it keeps happening all the time. There is a "rule created by user" (not me, I don't know how to do that) that says to allow local netbios-ns port 137 and local netbios-dgm port 138 UDP and it is called a default inbound NetBios. It is in Norton 2005-options-internet worm protection-general rules (along with about 10 other rules). How do these rules get there?
__________________

jacktruck is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 01:27 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0