-
June 12th, 2003, 02:41 PM
#1
Junior Member
hacked?
If I suspect someone of hacking into my computer using NetBIOS (as far as I can gather from reading around the web by creating a null user account) how would I confirm this? I mean what files would have been modified by the action of hacking , are there any system logs I could check out? I don't think they did any malicious damage as the computer is still working fine, but what ways would a good hacker try to avoid my seeing their trail, like modifying the system files. If they did cover their tracks well is there any way of seeing this? I'm running WinXP.
Also, is there any tracing software I could use to track this type of thing in the future and are there ways around this?
Thanks a lot.
-
June 12th, 2003, 02:48 PM
#2
Member
sorry for not knowing a lot about NetBIOS... but couldn't you look to see what files have been modified recently (or modified within the time-frame of the attack)... You should also try to secure your shares a lil' more as well...
Hello all, this is going to be a basic primer on NetBIOS security. I won’t go to much into detail about the specifics of this protocol other than it runs on ports 137 thru 139, with the main server, if you will, on port 139. It is used mostly for inter/intra-office communications and file/print sharing as well as for home use for the same purposes...
continued on http://neworder.box.sk/newsread_print.php?newsid=1295
-
June 12th, 2003, 03:05 PM
#3
OK, let's take this from the top.
1) What makes you believe that you've been hacked?
2) Have you checked event viewer for any tampering?
3) Do you have an Admin account with no password?
4) Do you have the guest account enabled?
5) Are the default shares running? (i.e. $admin $ipc $c)
6) Are you exposing this machine directly to the internet?
(as far as I can gather from reading around the web by creating a null user account) how would I confirm this?
You would need to do a forensic analysis of the box. What one hacker would do is completely different from what another would do.
are there any system logs I could check out?
Yes, check event viewer for evidence of tampering
Also, is there any tracing software I could use to track this type of thing in the future and are there ways around this?
You can install tripwire and/or a number of other third party apps to verify system integrity but it all boils down to implementing good security practices from the start. This site has *tons* of threads on this so take a few minutes to cruise the MS security boards and you'll find everything that you need.
Hope this helps.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 12th, 2003, 04:09 PM
#4
There's also a very simple solution to this. Just slam the door shut by installing a (personal) firewall. Then run a good trojan/virus scanner to make sure your system is clean.
Now sit back and enjoy all the warnings your firewall will generate
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 12th, 2003, 05:47 PM
#5
I`m with theHorse on this one, you need to provide some more information about whats going on to make you think you are being (or have been) hacked.
Some additonal questions
1) Do you have antivirus software installed?
2) Opened any strange email attachments lately?
3) Do you patch your system regulalry?
4) what is your network setup?
And any other info you can provide.
Also, as SirDice stated, get a personal firewall, although this will not solve all your security problems, but it will protect you from the majority of attackers. I`d recommend Sygate, but thats just my personal preference.
Quis custodiet ipsos custodes
-
June 12th, 2003, 08:07 PM
#6
Junior Member
Basically I was in a chat room talking to I guy whom I vaguely know and he was boosting about being a pretty good hacker (or "l337" as he said). I've always been kind of interested in this sort of thing and so when he offered to send me a file with some information in I agreed. A bit later (while still on the internet) I tried to open a document in a shared folder but a message said that that document was in use. When I tried about five seconds later, however, and it opened fine. I didn't think too much about it (weird stuff happens like that all the time, right?) until I had had a look at the file he sent me which talked about ways to hack using the NetBIOS from DOS. (Basically it was C:\ > nbtstat –a xxx.xxx.xxx.xxx, C:\ > net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"", C:\ > net view \\xxx.xxx.xxx.xxx, C:\ > net use k: \\ xxx.xxx.xxx.xxx\sharedfile where xxxetc is the IP address.) Being quite paranoid I did some research on the web and apparently you can trace someone's IP address by their downloading something from you in a chat-room (rather than getting the IP address of the mail server). Also I tried net view on my own IP address and it said my username followed by <20> which apparently means its hackable. I've realised ways to stop this from happening in the future by stopping file and print sharing (now <20> doesn't appear), using the WinXP Firewall (is this any good?) not sharing any of my folders/files/disks, and editing the registry to stop it.
The reason I want to know if I've been hacked is that I don't want to accuse this guy if its just my over-paranoia. It would be quite embarassing as he is normally quite nice. So is there any way I can track his (alleged) use on my computer (you say check the Event Viewer for evidence of tampering but I'm not really sure how to do this).
(Sorry its so long, the reason I didn't put it in the first post as I thought no one would bother to read it.)
Thanks again.
-
June 12th, 2003, 08:17 PM
#7
well anyone boasting about being "31337" probably isn`t anything of the sort... but moving on... The commands you mention are standard NT commands that can provide info on shares, users, etc...basically enumeration information. Now if you are connected to the Net without a firewall and have NetBios running then yes, these could be used against you. A password still needs to be obtained (and hopefully you don`t have a blank password).
As far as I am aware yes your IP address could be obtained via a download. So he may well have tried some of this stuff against you, lock your box down now with a personal firewall which will stop any future abuse and try and run a vulnerability scanner against your box (see pluto, Leviathan, and Ceberus for free Windows ones).
Run a virus scan to make sure you haven`t been trojaned. Check any event logs you have, and take all the other steps mentioned here.
oh, and to check event viewer on XP click Start/Settings/Control Panel/ Administrative tools, and Event Viewer
Quis custodiet ipsos custodes
-
June 12th, 2003, 08:44 PM
#8
Junior Member
I do have a password but apparently that's no protection (run PQWAQ then C:\> net use \\ipaddress\ipc$ "password" /user:administrator).
Also I completely agree about securing my system and have now locked down my system I think quite effectively (although it took a suspected hack to encourage me to get around to doing it :-) ).
I was just wondering how to see if I have been hacked; how would Event Viewer have changed for the time of the attack and what possible ways could the hacker have used to change Event Viewer back (or anything else to stop my finding out about it).
I really appreciate the input, thanks a lot.
-
June 13th, 2003, 05:09 PM
#9
I do have a password but apparently that's no protection (run PQWAQ then C:\> net use \\ipaddress\ipc$ "password" /user:administrator).
In order for a remote user to map to your box via command line interface, they'd have to:
1) Know that you have an account named administrator
2) Know the local password for that account
3) Know that you are allowing NetBIOS shares
To check Event Viewer, just go to START>CONTROL PANEL>ADMIN TOOLS Then choose Event Viewer.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 13th, 2003, 05:36 PM
#10
2792: U don't have many options now. Do as R0n1n says:
Run a virus scan to make sure you haven`t been trojaned. Check any event logs you have, and take all the other steps mentioned here
I'll be a bit more pessimistic than R0n1n new virii and malicious code appear every days quicker than anti-virii update. So there is no way to b 100% sure!
But for future here comes a tip: FIDS (File System Intrusion Detection System) will take a kinda fingerprint of your file system and will compare it after changes. Such system will log u some info like what changes and their potentiality of danger.
Of course in order to b efficient you'll have to b disciplined and lok at ur logs periodically. If sm1 take the hand on ur puter, and then detect the FIDS it will delete the log that could comprimise its successful attack.
check out http://www.gfisoftware.com/
[shadow] SHARING KNOWLEDGE[/shadow]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|