If I suspect someone of hacking into my computer using NetBIOS (as far as I can gather from reading around the web by creating a null user account) how would I confirm this? I mean what files would have been modified by the action of hacking , are there any system logs I could check out? I don't think they did any malicious damage as the computer is still working fine, but what ways would a good hacker try to avoid my seeing their trail, like modifying the system files. If they did cover their tracks well is there any way of seeing this? I'm running WinXP.

Also, is there any tracing software I could use to track this type of thing in the future and are there ways around this?

Thanks a lot.

sorry for not knowing a lot about NetBIOS... but couldn't you look to see what files have been modified recently (or modified within the time-frame of the attack)... You should also try to secure your shares a lil' more as well...


Hello all, this is going to be a basic primer on NetBIOS security. I won’t go to much into detail about the specifics of this protocol other than it runs on ports 137 thru 139, with the main server, if you will, on port 139. It is used mostly for inter/intra-office communications and file/print sharing as well as for home use for the same purposes...

continued on http://neworder.box.sk/newsread_print.php?newsid=1295

OK, let's take this from the top.

1) What makes you believe that you've been hacked?
2) Have you checked event viewer for any tampering?
3) Do you have an Admin account with no password?
4) Do you have the guest account enabled?
5) Are the default shares running? (i.e. $admin $ipc $c)
6) Are you exposing this machine directly to the internet?

(as far as I can gather from reading around the web by creating a null user account) how would I confirm this?

You would need to do a forensic analysis of the box. What one hacker would do is completely different from what another would do.

are there any system logs I could check out?

Yes, check event viewer for evidence of tampering

Also, is there any tracing software I could use to track this type of thing in the future and are there ways around this?

You can install tripwire and/or a number of other third party apps to verify system integrity but it all boils down to implementing good security practices from the start. This site has *tons* of threads on this so take a few minutes to cruise the MS security boards and you'll find everything that you need.

Hope this helps.
--TH13

There's also a very simple solution to this. Just slam the door shut by installing a (personal) firewall. Then run a good trojan/virus scanner to make sure your system is clean.

Now sit back and enjoy all the warnings your firewall will generate ;)

I`m with theHorse on this one, you need to provide some more information about whats going on to make you think you are being (or have been) hacked.

Some additonal questions
1) Do you have antivirus software installed?
2) Opened any strange email attachments lately?
3) Do you patch your system regulalry?
4) what is your network setup?

And any other info you can provide.

Also, as SirDice stated, get a personal firewall, although this will not solve all your security problems, but it will protect you from the majority of attackers. I`d recommend Sygate, but thats just my personal preference.

Basically I was in a chat room talking to I guy whom I vaguely know and he was boosting about being a pretty good hacker (or "l337" as he said). I've always been kind of interested in this sort of thing and so when he offered to send me a file with some information in I agreed. A bit later (while still on the internet) I tried to open a document in a shared folder but a message said that that document was in use. When I tried about five seconds later, however, and it opened fine. I didn't think too much about it (weird stuff happens like that all the time, right?) until I had had a look at the file he sent me which talked about ways to hack using the NetBIOS from DOS. (Basically it was C:\ > nbtstat –a xxx.xxx.xxx.xxx, C:\ > net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"", C:\ > net view \\xxx.xxx.xxx.xxx, C:\ > net use k: \\ xxx.xxx.xxx.xxx\sharedfile where xxxetc is the IP address.) Being quite paranoid I did some research on the web and apparently you can trace someone's IP address by their downloading something from you in a chat-room (rather than getting the IP address of the mail server). Also I tried net view on my own IP address and it said my username followed by <20> which apparently means its hackable. I've realised ways to stop this from happening in the future by stopping file and print sharing (now <20> doesn't appear), using the WinXP Firewall (is this any good?) not sharing any of my folders/files/disks, and editing the registry to stop it.

The reason I want to know if I've been hacked is that I don't want to accuse this guy if its just my over-paranoia. It would be quite embarassing as he is normally quite nice. So is there any way I can track his (alleged) use on my computer (you say check the Event Viewer for evidence of tampering but I'm not really sure how to do this).

(Sorry its so long, the reason I didn't put it in the first post as I thought no one would bother to read it.)


Thanks again.

well anyone boasting about being "31337" probably isn`t anything of the sort... but moving on... The commands you mention are standard NT commands that can provide info on shares, users, etc...basically enumeration information. Now if you are connected to the Net without a firewall and have NetBios running then yes, these could be used against you. A password still needs to be obtained (and hopefully you don`t have a blank password).

As far as I am aware yes your IP address could be obtained via a download. So he may well have tried some of this stuff against you, lock your box down now with a personal firewall which will stop any future abuse and try and run a vulnerability scanner against your box (see pluto, Leviathan, and Ceberus for free Windows ones).

Run a virus scan to make sure you haven`t been trojaned. Check any event logs you have, and take all the other steps mentioned here.

oh, and to check event viewer on XP click Start/Settings/Control Panel/ Administrative tools, and Event Viewer

I do have a password but apparently that's no protection (run PQWAQ then C:\> net use \\ipaddress\ipc$ "password" /user:administrator).

Also I completely agree about securing my system and have now locked down my system I think quite effectively (although it took a suspected hack to encourage me to get around to doing it :-) ).

I was just wondering how to see if I have been hacked; how would Event Viewer have changed for the time of the attack and what possible ways could the hacker have used to change Event Viewer back (or anything else to stop my finding out about it).

I really appreciate the input, thanks a lot.

I do have a password but apparently that's no protection (run PQWAQ then C:\> net use \\ipaddress\ipc$ "password" /user:administrator).


In order for a remote user to map to your box via command line interface, they'd have to:
1) Know that you have an account named administrator
2) Know the local password for that account
3) Know that you are allowing NetBIOS shares

To check Event Viewer, just go to START>CONTROL PANEL>ADMIN TOOLS Then choose Event Viewer.

2792: U don't have many options now. Do as R0n1n says:
Run a virus scan to make sure you haven`t been trojaned. Check any event logs you have, and take all the other steps mentioned here

I'll be a bit more pessimistic than R0n1n new virii and malicious code appear every days quicker than anti-virii update. So there is no way to b 100% sure!

But for future here comes a tip: FIDS (File System Intrusion Detection System) will take a kinda fingerprint of your file system and will compare it after changes. Such system will log u some info like what changes and their potentiality of danger.
Of course in order to b efficient you'll have to b disciplined and lok at ur logs periodically. If sm1 take the hand on ur puter, and then detect the FIDS it will delete the log that could comprimise its successful attack.

check out http://www.gfisoftware.com/

hai!


My sincier advice is to install a software know as "hacktracer" which will not only protect u from hackers but also traces him by location and logs the information he attempted to ur pc and u can directly report it.ok plz dont ask me where to find hacktracer just surf in any serach engine...........

To be honest, you won't ever find out if you have been hacked through NetBIOS, unless the attacker has been very stupid, or you have been very clever. The only real way to detect this is at the time of the attack itself, unless you have changed your logging policy. By default, event viewer won't show logins, failed logins, or remote connections. You have to specify that you want these types of events to be logged, and going from the question you asked, I don't think you have enabled logging of connection or login attempts, otherwise you would know wether a connection has been established or not. The biggest giveaway though has to be the fact a file was in use by a remote connection. This sounds suspect.

As for the password being ineffective, you are immune to the attack he was boasting about. Pqwaq only works on win9x machines, and was patched at least 2 years ago.

If I thought I'd been hacked through NetBIOS, the first thing I would do is reformat and reinstall, just to be safe. Then again, I'm paranoid about things like this, and better safe than sorry is very true in my opinion. This is probably a bit overkill though. With sonebody elses machine, the first thing I would do is lock down the machine by disabling NetBIOS on the network adapter facing the internet. The second thing I would do is check for virii and trojans.

During my shadier days, I'd have installed a keylogger and a backdoor in the startup folder, so that might be a good place to check for any evidence of tampering. I would've tried to crash your PC to force a restart in order to activate the trojan and keylogger next. I would also have replaced the netstat command with a version that won't show any connections that I've made, and will hide the port the backdoor is listening on. This is easy to detect, if you've got a copy of the original netstat command available to compare against.

If everything checks out OK, I would then look at all my documents to check they've not been altered, and look for unusual folders. If everything is OK and there's nothing out of the ordinary, it's pretty safe to assume nothing's been modified, but I would never trust that computer completely again, until it's been reformatted. At the end of the day, it's all about risk, and if you're prepared to take it. I might be a bit more paranoid than most with security, but I've never been hacked either.