Results 1 to 7 of 7

Thread: help! am i being hacked

  1. #1
    Senior Member
    Join Date
    Apr 2002

    help! am i being hacked

    Hi, I have a dsl connection with a linksys router with NAT, OS winxp pro, on the router I chose to close ports 137-139 (netbios). I haven't had any incidents with my connection going slow or loss of hd space that would indicate intrusion. I am not running any http, ftp or telnet services. But today I noticed my connection was extremely slow, I checked my router's incoming log and got this:

    Source IP Destination Port Number 137 80 139 137 139 137 139 137 139 137 139 137 2437 139 137 139 445 139 139 139 137 139 137 139 137 2437 80 139 137 139 137 135 139 137 139 137 17300 445 137 137 80 137 139 137 139 137 80 139 137

    Many IP's trying to access ports 137, 139, not sure if this means someone trying to access my computer through the netbios ports. I ran a whois got this:
    Search results for:

    OrgName: Latin American and Caribbean IP address Regional Registry
    Address: Potosi 1517
    City: Montevideo
    PostalCode: 11500
    Country: UY

    NetRange: -
    NetName: LACNIC-200
    NetHandle: NET-200-0-0-0-1
    NetType: Allocated to LACNIC
    NameServer: BUCHU.ARIN.NET
    NameServer: CHIA.ARIN.NET
    NameServer: DILL.ARIN.NET
    NameServer: NS.LACNIC.ORG
    NameServer: NS.DNS.BR
    NameServer: NS2.DNS.BR
    Comment: This IP address range is under LACNIC responsibility for further
    Comment: allocations to users in LACNIC region.
    Comment: Please see http://www.lacnic.net/ for further details, or check the
    Comment: WHOIS server located at whois.lacnic.net
    RegDate: 2002-07-27
    Updated: 2002-12-12

    TechHandle: LACNIC-ARIN
    TechName: LACNIC Hostmaster
    TechPhone: (+55) 11 5509-3525
    TechEmail: hostmaster@lacnic.net

    OrgTechHandle: LACNIC-ARIN
    OrgTechName: LACNIC Hostmaster
    OrgTechPhone: (+55) 11 5509-3525
    OrgTechEmail: hostmaster@lacnic.net

    # ARIN WHOIS database, last updated 2003-06-04 21:05
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Most of the ip's to ports 137-139 were from this same source, should I report this to the phone or email from the whois, or what else should I do, is this an attack???????
    I was stupid and never bothered to install a firewall...
    I do have AV fully updated, I have scanned my system and no virus found.

    Please help!!!!
    (sorry for the fromatting of the log, it might be difficult to read)

  2. #2
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    There may be some malicious intent but if your computer is behind a router, you are probably safe. It doesn't sound to me like you have been hacked at all. It is good to keep an eye on that log though.

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Memphis, TN
    If your router has Nat then I believe that the only IP that they will try will be the one that they see on your router. But, if I'm right they have to get past your router till they get to you, so you should be ok.

    I might be wrong about that but I think thats right,.

  4. #4
    Junior Member
    Join Date
    Sep 2001
    Tracing route doesn't mean anything!. Try by scanning your own open Ports, and you would better have IP-Log Software to find out some other/strange IP access your Open Port.

    So be cool! its not a big deal adsl is usually used by serial hosts.

    Tracing Route is mean Nothing. Try by scanning your Open Ports, and try to use some software what it has IP-Log as Other/Strange IP which try to access those Openning Ports.

    seacrh on http://www.download.com


  5. #5
    Senior Member
    Join Date
    Apr 2002
    Some one has been making attempts to connect to you on the netBIOS port its probably just packet monkeys scanning for weak netBIOS shares to get another zombie in there bot net if you're firewall is blocking it you have nothing to worry about does you're firewall have an option to drop packets from certain IP's ? if so it would be a good idea to drop packets form the offending IP's
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work

  6. #6
    Senior Member
    Join Date
    Nov 2002
    You should maybe check a bit more closely - Logs will tells you what have been dropped but not what came through!

    A sniffer with filter capture on this set of IP could be a good parano´d measure to keep an eye open.

    Does all this netbios probes came closely in time? Because it could a kind of decoy mode where most are not really probing u, just one is really malicious.

    If u have time and a free comp, u could set a honeypot to see actually what IPsrc will exploit a Netbios open port.
    [shadow] SHARING KNOWLEDGE[/shadow]

  7. #7
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Just as a side note for everyone, the bugbear viruses(and others) try to propagate through NetBios shares and often times this is the activity you are seeing. Also for all you linksys router users the Kiwi Syslog daemon for Windows can easily be configured and used to log all your router activty to an ODBC database (say Access) which makes searching and auditing your logs a breeze.

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts