was i hacked

[blayde]

Hello,
well I just recieved an instant message by someone who claimed to be a member. I talk to him for a few minutes and then proceded on with things. Started playing a game online and it was really laggy. Got suspicious so I then ran a check...

went to ms-dos typed in netstat -an
came up with syn request from ip 172.xx.184.1 - 172.xx.184.254

then typed netstat -r

with 3 established ports
looked like this

foreign address
172.xx.134.54 syn sent
172.xx.134.55 syn sent
172.xx.134.56 syn sent
172.xx.134.57 syn sent
172.xx.134.58 syn sent
-berp-ci04.dial.aol.com: 13784 established
205.176.25.195: 5190 established
bombnet.p3psi.org: established
172.xx.134.116 syn sent
172.xx.134.5 syn sent
172.xx.134.6 syn sent
172.xx.134.7 syn sent
172.xx.134.8 syn sent
etc........


it seems to me that this is a scan on my port look like it was succesful. Am i correct and how do i fix and defend. Please help me out. P3psi is a virus I believe. Where can i find it if it has been executed as i am sure it will be well hidden

[Terr]

It looks to me as if you're being stealth-scanned. In other words, just a slightly tricky way for them to portscan you normally...

Er, wait... If it was a half-scan, wouldn't it show 'ACK sent', since it is Syn-Ack-Syn? Anyone else want to elaborate on what netstat is trying to say here? I've hardly ever had non-established or non-listening states pop up.

Did it say what port bombnet.p3psi.org was at? Are you sure you weren't just browsing a page there or something? I would suggest getting either The Cleaner from http://www.moosoft.com or Tauscan from http://www.agnitum.com , both trojan scanners and removers. I've never heard of a 'p3psi' trojan, though.

[shkuey]

Er, wait... If it was a half-scan, wouldn't it show 'ACK sent', since it is Syn-Ack-Syn? Anyone else want to elaborate on what netstat is trying to say here? I've hardly ever had non-established or non-listening states pop up.

I don't really know much about scanning people for vulnerabilities, but if I remember my tcp/ip correctly an ack will only be sent from a listening port. Non-listening ports will respond with a rst, though I don't think you'll see either activity from netstat.

I have no idea how they got the output they posted by using the -r switch, that just displays the routing table.

pepsi is a udp flooder, never heard of p3psi.

[Rewandythal]

Get a firewall !
[www.zonelabs.com]

If you want more detailed info about these things, some kind of Intrusion Detection System would maybe help, though most firewalls log *everything* thrown at them!

[psi0nic]

foreign address
172.54.134.54 syn sent <--- is an internal network address
172.54.134.55 syn sent
172.54.134.56 syn sent
172.54.134.57 syn sent
172.54.134.58 syn sent
-berp-ci04.dial.aol.com: 13784 established <---your chat buddy
205.176.25.195: 5190 established <----AOL Instant Messanger
bombnet.p3psi.org: established <---looks like a machine name
172.54.134.116 syn sent
172.54.134.5 syn sent
172.54.134.6 syn sent
172.54.134.7 syn sent
172.54.134.8 syn sent
etc........

agree, get a good little firewall like Tiny Personal Firewall (if windows user).

[Focmaester]

psi0nic is right
sometimes after talking on Icq/AIM the ip of the person will show up when you run netstat.

[casper3699]

If you are playing an online game than those other adresses would probably be the other players that you are playing against.
Are you running a firewall?

[pakbehl]

Did you direct connect to your AIM buddy? He/She may have been spoofing bombnet; in which case his/her IP would show up in a netstat (bombnet.p3psi.org if he/she were spoofing), although I don't know what bombnet.p3psi.org is.

[blayde]

Well, I put up a firewall. Upon which I recived a waring message that a progam called MIRC32.exe was attempting to act a server.
I proceded to dissconnect and lock the port.
Now the problem is that when I dissable the firewall, the program reattempts to establish the connection. So i searched for the Program....Once i found it....in windows as a file, with no directory extensions, i tried to delete it. Said it was currently being used. So i entered the editreg command under run and tried to find it. I am really not that familiar with the reg (something i am currently reading up on ). I read the readme file hidden on the program and it specifies connection to certain ports not sure exactly....I think it was 6190 and 34720 or something like that the ones that netscan picked up. It also talked about transfering files....i will post that readme later tonight...i am at work now.

Anyone one with some real knowledge of the all so famous reg please lend me a hand on figuring out what this program is and where it is hidden....
One more hint the things executes, or should i say pops up when i reboot...as soon as windows loads up there it is, and then its gone, as though its told to load, attempt to establish a connection, and then dissapear. Probably a bad attempt by somebody to write their own code, and is not written correctly to remain completley hidden....
thanks again
---blayde----

[gaxprels]

Mirc is a windows based IRC client. Unless you are using Mirc (or have even downloaded it) it shouldn't be popping up as trying to connect. If you have never installed it and aren't using it at the time it tries to connect, it sounds like it could be a trojan (subseven maybe) masquerading as Mirc. Get the cleaner as Terr suggested and run it. Good luck.

Happy Hacking