View Full Version : I Think My System has been Compromised

Max Power
07-29-2002, 12:44 PM
Hi Everybody
I hope I posted this in the right place. It's a security issue so I put it in here.

We have a PC upstairs that my wife and kids mainly use. I was looking for a file that I saved to that PC about a year ago. Couldnt find it there, so I went into My Network Places to see if my computer downstairs was connected to our small network.
I was pretty sure that it was not connected but there was a small chance I could save a trip downstairs. When I opened my Workgroup to my surprise I got about 8 computers connected to my network. They were names like Sam, WWW, John123 with the little icon of a desktop pc next to the name. I should have one computer connected at the most. When I would click on a name a message would say that I did not have access to that server except for WWW which asked for a username and password. My wife informed me that this computer could be connected to the internet for days.
For days ? It's a dialup. My experience with dial ups is that they disconnect you after an hour or less of inactivity.
She installed a weather program that runs continuously while she is on the internet that gives local tempature and barometer readings. Maybe that is why the continous connectivity to the internet ....or maybe somebody installed software on that PC to keep it connected.
I had to replace the hard drive a while back and forgot to install Zone Alarm and Anti Virus software....I know... my fault.
I immediatly installed Zone Alarm and removed all settings of my network, then rebooted. After reboot the connected computers to my network were gone. When I connected to the internet, immediatly Zone Alarm blocked a connection on port 139 to an IP address with a message about Netbious datagram.
I plan on getting virus software today.

Has anybody ever had this happen? Has my system been compromised? How is the system connected to the internet for so long on a dialup connection? What is Netbios datagram?
What else can I do to protect my home network?
I know that's alot of questions but the whole thing puzzles me.

07-29-2002, 02:52 PM
Netbios is another older network protocol
Check with the Kids.
Ask them If they have installed and file sharing programs.
With netbios protocol You could/can actually run programs on other systems from your machine and vise versa ..

Is your system secure ??
In a Word NO
ZA should help But you Need to get an anti virus and Trojan finding program and clean that system out.

You should also check for and Remove unwanted file share programs like Kazoo or what ever the name was/is
It can actually use your system as a server and storage machine

In addition Turn OFF File and Printer Sharing till you get it cleaned Out

07-29-2002, 04:41 PM
Look here and grab one of the anti-trojan scanners.....


07-29-2002, 06:44 PM
YES! you've been " hacked " in the vernacular of the day!

Port 139 ( Netbios ) is for File & print sharing ( don't confuse NetBIOS { computer name } with NetBUEI { NetBIOS user extended interface, a NON routable network protocol } ) so if your network was setup for file and print sharing and someone scanned your gateway ( the PC you have connected to the internet- or router ) and discoverd that 139 was open, it'd be very simple to pull the NetBIOS name down and then access your network-especially if you had basic passwords/accounts setup.

My suggestion-blow your drives away and do a fresh install of windows, as you have no idea what has been comprimised, then after reinstall BEFORE you get your home network setup you get a good firewall program and an antivirus program, setup the security on your gateway then get your network back on the internet.

It is unusal for a dial-up connection to remain connected for great lengths unless a constant reminder is sent to your isp to not dissconnect you when it detects no activity, ther are small programs out there that are designed to do just this; basicly they just chatter alot when you are connected to let your isp server know that your line is still active-very easy for someone once they were on your network to install this.

Max Power
07-30-2002, 12:53 PM
Thanks for the input everybody.
Yes iisbob , I did have File sharing activated but no passwords setup. I guess my thinking was that since I had a dial up connection (which disconnected after about 1/2 hour of inactivity)and I thought Zone Alarm was installed, I would be an unlikely hacker target.
After I deactivated the file sharing and rebooted the mysterious users connected to my Workgroup were gone. Now when I click on my workgroup I get a message that says "The Workgroup is inaccessible, list of servers for this workgroup not currently available".
I guess that's good?

I also obtained Inoculate anti virus software, upgraded the signature and ran the scan...came up clean.
In addition I ran Adaware and it picked up over 30 spyware files.
I also plan on trying those anti trojan scanners that mjc suggested.

Last night when I came home from work my wife informed me that Zone Alarm blocked over 500 attempts to access the computer, but she somehow deleted the log before I could take a look. (I had problems inserting the mad face here, somehow it was inserted at the bottom of the page)
She said it was the same Netbios datagram .
My wife also informed me that she reinstalled the Weatherbug after I uninstalled it.( see mad face at bottom of page )

As I sat down to work on the computer, ZA continued to block incoming scans.
I did a WHOIS thru Sam Spade for the IP address and I found out it was my local ISP.
Mixed in were scans from other places but my ISP clearly dominated. The next popular scan was from the European Regional Internet Registry, which according to WHOIS, assigns IP addresses for European users. Also Time Warner Telecom was another .
I disabled the Weatherbug program and the scans seemed to drop off.

This morning ZA was blocking outgoing attempts to use NETBIOS to connect to another computer. When I did a WHOIS that computer was my ISP. ZA suggested that my computer was attempting to get an IP address and that I should not worry.
That sounds suspicious to me.

I plan on calling my ISP tonight and see what they are doing or if they know what is happening.
This weekend I will probably fdisk, format and reinstall like issbob suggested.

:mad: :mad:

07-30-2002, 02:25 PM
It sounds like Weatherbug might also be wanting to act as a server.....

Just quit playing around with it, and WIPE those drives.....

Change all passwords, if you have done any online purchasing or banking, get those accounts changed. (both machines)