Results 1 to 7 of 7

Thread: help! am i being hacked

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    161

    help! am i being hacked

    Hi, I have a dsl connection with a linksys router with NAT, OS winxp pro, on the router I chose to close ports 137-139 (netbios). I haven't had any incidents with my connection going slow or loss of hd space that would indicate intrusion. I am not running any http, ftp or telnet services. But today I noticed my connection was extremely slow, I checked my router's incoming log and got this:

    Source IP Destination Port Number
    64.205.117.130 137
    200.85.198.16 80
    200.76.200.226 139
    200.76.200.226 137
    200.67.152.91 139
    200.67.152.91 137
    216.208.202.73 139
    216.208.202.73 137
    210.124.147.40 139
    210.124.147.40 137
    210.65.54.122 139
    210.65.54.122 137
    212.95.176.152 2437
    209.208.227.155 139
    209.208.227.155 137
    192.0.0.38 139
    200.67.211.174 445
    192.0.0.35 139
    200.67.211.174 139
    200.84.237.77 139
    200.84.237.77 137
    200.39.228.231 139
    200.39.228.231 137
    24.27.208.25 139
    24.27.208.25 137
    212.95.176.152 2437
    200.67.157.192 80
    66.198.149.206 139
    66.198.149.206 137
    213.17.69.93 139
    213.17.69.93 137
    68.211.202.235 135
    212.253.56.165 139
    212.253.56.165 137
    200.67.152.91 139
    200.67.152.91 137
    80.230.171.72 17300
    210.64.49.171 445
    200.95.21.134 137
    200.29.135.41 137
    200.212.131.136 80
    155.239.159.71 137
    200.157.149.133 139
    200.157.149.133 137
    218.233.118.48 139
    218.233.118.48 137
    200.150.22.232 80
    218.79.142.137 139
    218.79.142.137 137


    Many IP's trying to access ports 137, 139, not sure if this means someone trying to access my computer through the netbios ports. I ran a whois got this:
    Search results for: 200.84.237.77


    OrgName: Latin American and Caribbean IP address Regional Registry
    OrgID: LACNIC
    Address: Potosi 1517
    City: Montevideo
    StateProv:
    PostalCode: 11500
    Country: UY

    NetRange: 200.0.0.0 - 200.255.255.255
    CIDR: 200.0.0.0/8
    NetName: LACNIC-200
    NetHandle: NET-200-0-0-0-1
    Parent:
    NetType: Allocated to LACNIC
    NameServer: ARROWROOT.ARIN.NET
    NameServer: BUCHU.ARIN.NET
    NameServer: CHIA.ARIN.NET
    NameServer: DILL.ARIN.NET
    NameServer: NS.LACNIC.ORG
    NameServer: NS.DNS.BR
    NameServer: NS2.DNS.BR
    Comment: This IP address range is under LACNIC responsibility for further
    Comment: allocations to users in LACNIC region.
    Comment: Please see http://www.lacnic.net/ for further details, or check the
    Comment: WHOIS server located at whois.lacnic.net
    RegDate: 2002-07-27
    Updated: 2002-12-12

    TechHandle: LACNIC-ARIN
    TechName: LACNIC Hostmaster
    TechPhone: (+55) 11 5509-3525
    TechEmail: hostmaster@lacnic.net

    OrgTechHandle: LACNIC-ARIN
    OrgTechName: LACNIC Hostmaster
    OrgTechPhone: (+55) 11 5509-3525
    OrgTechEmail: hostmaster@lacnic.net

    # ARIN WHOIS database, last updated 2003-06-04 21:05
    # Enter ? for additional hints on searching ARIN's WHOIS database.


    Most of the ip's to ports 137-139 were from this same source, should I report this to the phone or email from the whois, or what else should I do, is this an attack???????
    I was stupid and never bothered to install a firewall...
    I do have AV fully updated, I have scanned my system and no virus found.

    Please help!!!!
    (sorry for the fromatting of the log, it might be difficult to read)

  2. #2
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550
    There may be some malicious intent but if your computer is behind a router, you are probably safe. It doesn't sound to me like you have been hacked at all. It is good to keep an eye on that log though.

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    If your router has Nat then I believe that the only IP that they will try will be the one that they see on your router. But, if I'm right they have to get past your router till they get to you, so you should be ok.

    I might be wrong about that but I think thats right,.
    =

  4. #4
    Junior Member
    Join Date
    Sep 2001
    Posts
    15
    Tracing route doesn't mean anything!. Try by scanning your own open Ports, and you would better have IP-Log Software to find out some other/strange IP access your Open Port.

    So be cool! its not a big deal adsl is usually used by serial hosts.

    Tracing Route is mean Nothing. Try by scanning your Open Ports, and try to use some software what it has IP-Log as Other/Strange IP which try to access those Openning Ports.

    seacrh on http://www.download.com

    hehe

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    Some one has been making attempts to connect to you on the netBIOS port its probably just packet monkeys scanning for weak netBIOS shares to get another zombie in there bot net if you're firewall is blocking it you have nothing to worry about does you're firewall have an option to drop packets from certain IP's ? if so it would be a good idea to drop packets form the offending IP's
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  6. #6
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    You should maybe check a bit more closely - Logs will tells you what have been dropped but not what came through!

    A sniffer with filter capture on this set of IP could be a good paranoïd measure to keep an eye open.

    Does all this netbios probes came closely in time? Because it could a kind of decoy mode where most are not really probing u, just one is really malicious.

    If u have time and a free comp, u could set a honeypot to see actually what IPsrc will exploit a Netbios open port.
    [shadow] SHARING KNOWLEDGE[/shadow]

  7. #7
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Just as a side note for everyone, the bugbear viruses(and others) try to propagate through NetBios shares and often times this is the activity you are seeing. Also for all you linksys router users the Kiwi Syslog daemon for Windows can easily be configured and used to log all your router activty to an ODBC database (say Access) which makes searching and auditing your logs a breeze.

    Regards,
    Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •