March 13th, 2003, 12:38 AM
Question- was I hacked?
I am new here and I was wondering if someone could give me some help.
I have Norten Internet security 2003 running on windows XP and recently when I took a look at my Norten Internet Security log file, I noticed this whenever I boot up:
-Rule "Block Windows File Sharing" blocked communication. Local address: Forensics(169.254.240.228)(netbios-ssn(139))
Process name is "System"
I never noticed this message before and that is definitely not my IP address.
I also noticed that my computer would automatically shut down for no reason whatsoever whenever I'm on the internet. It has happened about 3 times in the last 2 weeks or so, most recently today.
I scanned my entire computer with Norton antivirus today but it found nothing.
Can anyone help explain what's going on? Should I be alarmed by this?
I've also been getting a lot of these message popping up on my Norton Internet Security:
-Rule "Default Block Microsoft Windows 2000 SMB" stealthed (22.214.171.124,microsoft-ds(445))
Inbound TCP connection
Local address,service is (0.0.0.0,microsoft-ds(445))
Remote address,service is (126.96.36.199,32801)
Process name is "System"
Whenever that occurred, I would just copy the IP address and put them under the "restricted" section with Norton Firewall which prevents any type of communication with that IP address and my computer.
But it's been happening a lot lately. Should I be alarmed?
I'd appreciate any help!
March 13th, 2003, 01:15 AM
I would not worry about the 169.x.x.x traffic on boot, it sounds like typical behavior. I am assuming that you are on dialup, or dsl, and have to actually dial out to connect to the internet, which means when you boot your machine recieves no ip address for that interface, and uses a linklocal address 169.x.x.x. Then windows attempts to talk to itself and ends up sending traffic to that address for some reason. Norton can probably be configured to ignore that if you want, without much danger, as the 169.x.x.x addresses are not internet routeable(although someone could send traffic TO your machine FROM that address, assuming there are lots and lots of misconfigured routers between them and you, they would never recieve the responses though.
As far as shutting down while you are on the internet, I would be a bit concerned about this, but, there are so many likely causes that I would think first about other things than a hacker. I have no suggestions though for a fix. Is there any other strange behavior like this. Also, are there any unusual firewall log entries about the time this happens?
As for all those other connections, those look fairly innocuos as well. Sure some machine is attempting to connect to yours for some reason, either due to misconfiguration or intent on the users part, but norton is doing what it is supposed to do, alert you and block the connection if you desire. I would not worry to much about it. Make a mental note of it when it happens, perhaps add it to the always drop list. Of course make sure you keep an eye on your logs etc.
March 13th, 2003, 01:27 AM
I really appreciate your reply!
Thanks for the info!
March 13th, 2003, 02:14 AM
even though your fire wall is doing its job unless you have need of it it would be prudent to remove file and print sharing. firewall have be known to crash on their own or from DoS Attacks meant to accomplish this and even though your FW may have all the latest patches and fixs you never know when a new one will come out.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 13th, 2003, 02:49 AM
Although I have a printer attached to my computer I have no need to share files.
How would you recommend I disable file sharing? Would it be through the firewall or through
the general control panel?
Sorry, I am new at this sort of thing. I would greatly appreciate any instructions you could offer me.
March 13th, 2003, 04:33 AM
Disable it through the Control Panel.
I\'d rather die on my feet than live my life on my knees.
(Emiliano Zapata, a Mexican revolutionary in the early 1900s)
March 13th, 2003, 08:48 AM
Go to your network settings and not only unselect file and printer sharing but remove it from your hard drive.
March 13th, 2003, 08:58 AM
Ideally you want to disable file/print sharing if possible and/or remove from control panel (under network), and also block it in the firewall. I am not familiar with Norton Firewall (I use Outpost) but you may want to set it up to log connection attempts to that port just so you can see if anything is going on. But 169.xxx.xxx.xxx is Microsoft's IP address when the machine can't get an IP from a DHCP server.
It\'s a long life, until you die
March 13th, 2003, 08:04 PM
Thanks to everyone for all your helpful information!
March 13th, 2003, 08:09 PM
The request to port 445 could have been the deloder worm stumbling accross your IP and decided to give it a try to to see if you have a weak admin password. But the firewall did its job... Just for anyone else that stumbles accross this post if you are using windows your administrator password should not be one of the following:
Violence breeds violence
we need a world court
not a republican with his hands covered in oil and military hardware lecturing us on world security!