-
June 5th, 2003, 11:42 PM
#1
Senior Member
help! am i being hacked
Hi, I have a dsl connection with a linksys router with NAT, OS winxp pro, on the router I chose to close ports 137-139 (netbios). I haven't had any incidents with my connection going slow or loss of hd space that would indicate intrusion. I am not running any http, ftp or telnet services. But today I noticed my connection was extremely slow, I checked my router's incoming log and got this:
Source IP Destination Port Number
64.205.117.130 137
200.85.198.16 80
200.76.200.226 139
200.76.200.226 137
200.67.152.91 139
200.67.152.91 137
216.208.202.73 139
216.208.202.73 137
210.124.147.40 139
210.124.147.40 137
210.65.54.122 139
210.65.54.122 137
212.95.176.152 2437
209.208.227.155 139
209.208.227.155 137
192.0.0.38 139
200.67.211.174 445
192.0.0.35 139
200.67.211.174 139
200.84.237.77 139
200.84.237.77 137
200.39.228.231 139
200.39.228.231 137
24.27.208.25 139
24.27.208.25 137
212.95.176.152 2437
200.67.157.192 80
66.198.149.206 139
66.198.149.206 137
213.17.69.93 139
213.17.69.93 137
68.211.202.235 135
212.253.56.165 139
212.253.56.165 137
200.67.152.91 139
200.67.152.91 137
80.230.171.72 17300
210.64.49.171 445
200.95.21.134 137
200.29.135.41 137
200.212.131.136 80
155.239.159.71 137
200.157.149.133 139
200.157.149.133 137
218.233.118.48 139
218.233.118.48 137
200.150.22.232 80
218.79.142.137 139
218.79.142.137 137
Many IP's trying to access ports 137, 139, not sure if this means someone trying to access my computer through the netbios ports. I ran a whois got this:
Search results for: 200.84.237.77
OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY
NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: ARROWROOT.ARIN.NET
NameServer: BUCHU.ARIN.NET
NameServer: CHIA.ARIN.NET
NameServer: DILL.ARIN.NET
NameServer: NS.LACNIC.ORG
NameServer: NS.DNS.BR
NameServer: NS2.DNS.BR
Comment: This IP address range is under LACNIC responsibility for further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or check the
Comment: WHOIS server located at whois.lacnic.net
RegDate: 2002-07-27
Updated: 2002-12-12
TechHandle: LACNIC-ARIN
TechName: LACNIC Hostmaster
TechPhone: (+55) 11 5509-3525
TechEmail: hostmaster@lacnic.net
OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3525
OrgTechEmail: hostmaster@lacnic.net
# ARIN WHOIS database, last updated 2003-06-04 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.
Most of the ip's to ports 137-139 were from this same source, should I report this to the phone or email from the whois, or what else should I do, is this an attack???????
I was stupid and never bothered to install a firewall...
I do have AV fully updated, I have scanned my system and no virus found.
Please help!!!!
(sorry for the fromatting of the log, it might be difficult to read)
-
June 6th, 2003, 12:01 AM
#2
There may be some malicious intent but if your computer is behind a router, you are probably safe. It doesn't sound to me like you have been hacked at all. It is good to keep an eye on that log though.
-
June 6th, 2003, 02:47 AM
#3
If your router has Nat then I believe that the only IP that they will try will be the one that they see on your router. But, if I'm right they have to get past your router till they get to you, so you should be ok.
I might be wrong about that but I think thats right,.
-
June 6th, 2003, 10:24 AM
#4
Junior Member
Tracing route doesn't mean anything!. Try by scanning your own open Ports, and you would better have IP-Log Software to find out some other/strange IP access your Open Port.
So be cool! its not a big deal adsl is usually used by serial hosts.
Tracing Route is mean Nothing. Try by scanning your Open Ports, and try to use some software what it has IP-Log as Other/Strange IP which try to access those Openning Ports.
seacrh on http://www.download.com
hehe
-
June 6th, 2003, 11:11 AM
#5
Some one has been making attempts to connect to you on the netBIOS port its probably just packet monkeys scanning for weak netBIOS shares to get another zombie in there bot net if you're firewall is blocking it you have nothing to worry about does you're firewall have an option to drop packets from certain IP's ? if so it would be a good idea to drop packets form the offending IP's
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
http://muaythaiscotland.com/
-
June 6th, 2003, 02:13 PM
#6
You should maybe check a bit more closely - Logs will tells you what have been dropped but not what came through!
A sniffer with filter capture on this set of IP could be a good paranoïd measure to keep an eye open.
Does all this netbios probes came closely in time? Because it could a kind of decoy mode where most are not really probing u, just one is really malicious.
If u have time and a free comp, u could set a honeypot to see actually what IPsrc will exploit a Netbios open port.
[shadow] SHARING KNOWLEDGE[/shadow]
-
June 7th, 2003, 02:00 AM
#7
Just as a side note for everyone, the bugbear viruses(and others) try to propagate through NetBios shares and often times this is the activity you are seeing. Also for all you linksys router users the Kiwi Syslog daemon for Windows can easily be configured and used to log all your router activty to an ODBC database (say Access) which makes searching and auditing your logs a breeze.
Regards,
Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|