was i hacked
Results 1 to 10 of 10

Thread: was i hacked

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Posts
    20

    was i hacked

    Hello,
    well I just recieved an instant message by someone who claimed to be a member. I talk to him for a few minutes and then proceded on with things. Started playing a game online and it was really laggy. Got suspicious so I then ran a check...

    went to ms-dos typed in netstat -an
    came up with syn request from ip 172.xx.184.1 - 172.xx.184.254

    then typed netstat -r

    with 3 established ports
    looked like this

    foreign address
    172.xx.134.54 syn sent
    172.xx.134.55 syn sent
    172.xx.134.56 syn sent
    172.xx.134.57 syn sent
    172.xx.134.58 syn sent
    -berp-ci04.dial.aol.com: 13784 established
    205.176.25.195: 5190 established
    bombnet.p3psi.org: established
    172.xx.134.116 syn sent
    172.xx.134.5 syn sent
    172.xx.134.6 syn sent
    172.xx.134.7 syn sent
    172.xx.134.8 syn sent
    etc........


    it seems to me that this is a scan on my port look like it was succesful. Am i correct and how do i fix and defend. Please help me out. P3psi is a virus I believe. Where can i find it if it has been executed as i am sure it will be well hidden
    Share on Google+

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    It looks to me as if you're being stealth-scanned. In other words, just a slightly tricky way for them to portscan you normally...

    Er, wait... If it was a half-scan, wouldn't it show 'ACK sent', since it is Syn-Ack-Syn? Anyone else want to elaborate on what netstat is trying to say here? I've hardly ever had non-established or non-listening states pop up.

    Did it say what port bombnet.p3psi.org was at? Are you sure you weren't just browsing a page there or something? I would suggest getting either The Cleaner from http://www.moosoft.com or Tauscan from http://www.agnitum.com , both trojan scanners and removers. I've never heard of a 'p3psi' trojan, though.
    [HvC]Terr: L33T Technical Proficiency
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    257
    Er, wait... If it was a half-scan, wouldn't it show 'ACK sent', since it is Syn-Ack-Syn? Anyone else want to elaborate on what netstat is trying to say here? I've hardly ever had non-established or non-listening states pop up.
    I don't really know much about scanning people for vulnerabilities, but if I remember my tcp/ip correctly an ack will only be sent from a listening port. Non-listening ports will respond with a rst, though I don't think you'll see either activity from netstat.

    I have no idea how they got the output they posted by using the -r switch, that just displays the routing table.

    pepsi is a udp flooder, never heard of p3psi.
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    677
    Get a firewall !
    [www.zonelabs.com]

    If you want more detailed info about these things, some kind of Intrusion Detection System would maybe help, though most firewalls log *everything* thrown at them!
    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)
    http://www.bytekill.net
    Share on Google+

  5. #5
    Member
    Join Date
    Oct 2001
    Posts
    88
    foreign address
    172.54.134.54 syn sent <--- is an internal network address
    172.54.134.55 syn sent
    172.54.134.56 syn sent
    172.54.134.57 syn sent
    172.54.134.58 syn sent
    -berp-ci04.dial.aol.com: 13784 established <---your chat buddy
    205.176.25.195: 5190 established <----AOL Instant Messanger
    bombnet.p3psi.org: established <---looks like a machine name
    172.54.134.116 syn sent
    172.54.134.5 syn sent
    172.54.134.6 syn sent
    172.54.134.7 syn sent
    172.54.134.8 syn sent
    etc........

    agree, get a good little firewall like Tiny Personal Firewall (if windows user).
    Share on Google+

  6. #6
    Banned
    Join Date
    Oct 2001
    Posts
    590
    psi0nic is right
    sometimes after talking on Icq/AIM the ip of the person will show up when you run netstat.
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    800
    If you are playing an online game than those other adresses would probably be the other players that you are playing against.
    Are you running a firewall?
    [gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]
    Share on Google+

  8. #8
    Did you direct connect to your AIM buddy? He/She may have been spoofing bombnet; in which case his/her IP would show up in a netstat (bombnet.p3psi.org if he/she were spoofing), although I don't know what bombnet.p3psi.org is.
    Share on Google+

  9. #9
    Junior Member
    Join Date
    Nov 2001
    Posts
    20
    Well, I put up a firewall. Upon which I recived a waring message that a progam called MIRC32.exe was attempting to act a server.
    I proceded to dissconnect and lock the port.
    Now the problem is that when I dissable the firewall, the program reattempts to establish the connection. So i searched for the Program....Once i found it....in windows as a file, with no directory extensions, i tried to delete it. Said it was currently being used. So i entered the editreg command under run and tried to find it. I am really not that familiar with the reg (something i am currently reading up on ). I read the readme file hidden on the program and it specifies connection to certain ports not sure exactly....I think it was 6190 and 34720 or something like that the ones that netscan picked up. It also talked about transfering files....i will post that readme later tonight...i am at work now.

    Anyone one with some real knowledge of the all so famous reg please lend me a hand on figuring out what this program is and where it is hidden....
    One more hint the things executes, or should i say pops up when i reboot...as soon as windows loads up there it is, and then its gone, as though its told to load, attempt to establish a connection, and then dissapear. Probably a bad attempt by somebody to write their own code, and is not written correctly to remain completley hidden....
    thanks again
    ---blayde----
    Share on Google+

  10. #10
    Senior Member
    Join Date
    Jul 2001
    Posts
    138
    Mirc is a windows based IRC client. Unless you are using Mirc (or have even downloaded it) it shouldn't be popping up as trying to connect. If you have never installed it and aren't using it at the time it tries to connect, it sounds like it could be a trojan (subseven maybe) masquerading as Mirc. Get the cleaner as Terr suggested and run it. Good luck.

    Happy Hacking
    -----------------------------------------------------
    Warfare is the Way of deception.
    -Sun Tzu \"The Art of War\"
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •