Net Bios intrusion
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Net Bios intrusion

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    11

    Question Net Bios intrusion

    It appears that my Sygate Personal Firewall has let in a hack that has modified my ntoskrnl.exe. I have not accepted the changes that it has made but my security log tells me it is trying to broadcast out everyday and considers it a major security breach. It is trying to go out on my UDP ports and it is using Net Bios. I have shut off printer sharing. Can anyone tell how to rid myself of the little devil.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    250
    Do you mean he/her is still in? He may have installed a trojan/backdoor on your system. If he was using NetBIOS and you turned off file and print sharing he shouldn't be using that. Get a free trial version of The Cleaner for trojans at http://www.moosoft.com
    Open up dos and run netstat | more and look for a high port number, that's the port most trojans use. Remember: Password protect your C drive and other important folders. Hope I could help.

    Thanks for your time~
    [gloworange]Die, or surrender, either way won\'t work.[/gloworange]
    [shadow]HuntX7[/shadow]

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    What makes you say that ntoskrnl.exe has been modified?

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    Everytime I start my computer I get a dialogue box that says "The NT Kernel System has changed since last time you used it. This could happen if you updated recently. Do you want to except the changes" I always say no because details show port 137 and 138 alternately, also noting that" Browsing request of Net Bios over TCP IP". This was all started when my firewall software said in its log that ntoskrnl.exe /outgoing/udp/ severity major/ - this is on the attack log. It also reports during the day application involved ntoskrnl.exe blocked( which is what I do daily on the first dialogue box . I can't figure it out. Huntx7 told me to run Cleaner to find out if it was a Trojan and my system showed no Trojans from the process.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    What version of windows is that NT4/w2k/XP?
    Has it always done that or it's a recent thing? (Since windows install or sygate pers. fw install?)

    Have you run windows update recently? (In XP I believe it runs automatically).
    As for the outbound connections 137 and 138 are indeed for nbt and could be legit? Does the log show the destination IP? You mentionned you turned of printer sharing. Does that mean file sharing is left on?

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    Hey Ammo: The system is XP and I have not run an update within the last week. The ip that the exe is going to says it is my broadband connection "Cable Vision". Could my firewall be treating a communication to the cable company as an attack? I am pretting sure that file sharing is off also. There are no drive shared and I am assuming I would have to put something in the shared directory for anyone to get to it.

  7. #7
    Junior Member
    Join Date
    Jul 2002
    Posts
    2
    Well I have seen similar things in other host-based firewalls on XP systems. Take a look at this and tell me what you guys think.

    Windows XP default install with TCP 445 open

    http://soho.sygate.com/alerts/XP_def...CP445_open.htm

    http://online.securityfocus.com/archive/1/256830

    I think this might be it.

    good luck,
    nocilis

  8. #8
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    Nocilis: In the morning when I boot up I have had to wait an unusually long time before I can click a desktop icon to launch I.E. or Outlook. It could be that packets be sent are using all my ram. My security log always says it is outgoing only that is the breach but I deny the outgoing process every morning by not accepting the changes to the ntoskrnl.exe. I have not idea if someone has establish incoming. I do know that this is part of the detail when I backtrace the ip( which always shows up as my cable provider).
    "To single out one record, look it up with "!xxx", where xxx is the
    handle, shown in parenthesis following the name, which comes first."
    How do I get rid of this record?

  9. #9
    Banned
    Join Date
    Apr 2002
    Posts
    149
    can you shut off file sharing? that would close up those ports. but keep in mind, if you got hacked you dont know what they did. best practices is to format.

  10. #10
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    Angry Bob: Thanks for the time. I have a good book on Windows XP and I am pretty sure I have shut off all file sharing.
    I also performed a system restore on my xp system to a date
    before I had my firewall alert. I was hoping that this
    would replace the ntoskrnl.exe to an earlier version. The
    system restore went through its process and after it did
    it's auto reboot it said it was unable to restore my
    system. I did this again and the same thing happened. Is
    that a sign my system has truly been compromised? The people on the MS XP boards are not responding to my message that my system was unable to restore itself to a former date so I am not sure whether I was really hacked and part of the modification to the ntoskrnl.exe was not being able to restore back to former date.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •