June 5th, 2003, 11:42 PM
help! am i being hacked
Hi, I have a dsl connection with a linksys router with NAT, OS winxp pro, on the router I chose to close ports 137-139 (netbios). I haven't had any incidents with my connection going slow or loss of hd space that would indicate intrusion. I am not running any http, ftp or telnet services. But today I noticed my connection was extremely slow, I checked my router's incoming log and got this:
Source IP Destination Port Number
Many IP's trying to access ports 137, 139, not sure if this means someone trying to access my computer through the netbios ports. I ran a whois got this:
Search results for: 220.127.116.11
OrgName: Latin American and Caribbean IP address Regional Registry
Address: Potosi 1517
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Allocated to LACNIC
Comment: This IP address range is under LACNIC responsibility for further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or check the
Comment: WHOIS server located at whois.lacnic.net
TechName: LACNIC Hostmaster
TechPhone: (+55) 11 5509-3525
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3525
# ARIN WHOIS database, last updated 2003-06-04 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.
Most of the ip's to ports 137-139 were from this same source, should I report this to the phone or email from the whois, or what else should I do, is this an attack???????
I was stupid and never bothered to install a firewall...
I do have AV fully updated, I have scanned my system and no virus found.
(sorry for the fromatting of the log, it might be difficult to read)
June 6th, 2003, 12:01 AM
There may be some malicious intent but if your computer is behind a router, you are probably safe. It doesn't sound to me like you have been hacked at all. It is good to keep an eye on that log though.
June 6th, 2003, 02:47 AM
If your router has Nat then I believe that the only IP that they will try will be the one that they see on your router. But, if I'm right they have to get past your router till they get to you, so you should be ok.
I might be wrong about that but I think thats right,.
June 6th, 2003, 10:24 AM
Tracing route doesn't mean anything!. Try by scanning your own open Ports, and you would better have IP-Log Software to find out some other/strange IP access your Open Port.
So be cool! its not a big deal adsl is usually used by serial hosts.
Tracing Route is mean Nothing. Try by scanning your Open Ports, and try to use some software what it has IP-Log as Other/Strange IP which try to access those Openning Ports.
seacrh on http://www.download.com
June 6th, 2003, 11:11 AM
Some one has been making attempts to connect to you on the netBIOS port its probably just packet monkeys scanning for weak netBIOS shares to get another zombie in there bot net if you're firewall is blocking it you have nothing to worry about does you're firewall have an option to drop packets from certain IP's ? if so it would be a good idea to drop packets form the offending IP's
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
June 6th, 2003, 02:13 PM
You should maybe check a bit more closely - Logs will tells you what have been dropped but not what came through!
A sniffer with filter capture on this set of IP could be a good parano´d measure to keep an eye open.
Does all this netbios probes came closely in time? Because it could a kind of decoy mode where most are not really probing u, just one is really malicious.
If u have time and a free comp, u could set a honeypot to see actually what IPsrc will exploit a Netbios open port.
[shadow] SHARING KNOWLEDGE[/shadow]
June 7th, 2003, 02:00 AM
Just as a side note for everyone, the bugbear viruses(and others) try to propagate through NetBios shares and often times this is the activity you are seeing. Also for all you linksys router users the Kiwi Syslog daemon for Windows can easily be configured and used to log all your router activty to an ODBC database (say Access) which makes searching and auditing your logs a breeze.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier