Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: hacked?

  1. #1
    Junior Member
    Join Date
    Jun 2003
    Posts
    3

    Question hacked?

    If I suspect someone of hacking into my computer using NetBIOS (as far as I can gather from reading around the web by creating a null user account) how would I confirm this? I mean what files would have been modified by the action of hacking , are there any system logs I could check out? I don't think they did any malicious damage as the computer is still working fine, but what ways would a good hacker try to avoid my seeing their trail, like modifying the system files. If they did cover their tracks well is there any way of seeing this? I'm running WinXP.

    Also, is there any tracing software I could use to track this type of thing in the future and are there ways around this?

    Thanks a lot.

  2. #2
    sorry for not knowing a lot about NetBIOS... but couldn't you look to see what files have been modified recently (or modified within the time-frame of the attack)... You should also try to secure your shares a lil' more as well...

    Hello all, this is going to be a basic primer on NetBIOS security. I won’t go to much into detail about the specifics of this protocol other than it runs on ports 137 thru 139, with the main server, if you will, on port 139. It is used mostly for inter/intra-office communications and file/print sharing as well as for home use for the same purposes...

    continued on http://neworder.box.sk/newsread_print.php?newsid=1295

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    OK, let's take this from the top.

    1) What makes you believe that you've been hacked?
    2) Have you checked event viewer for any tampering?
    3) Do you have an Admin account with no password?
    4) Do you have the guest account enabled?
    5) Are the default shares running? (i.e. $admin $ipc $c)
    6) Are you exposing this machine directly to the internet?

    (as far as I can gather from reading around the web by creating a null user account) how would I confirm this?
    You would need to do a forensic analysis of the box. What one hacker would do is completely different from what another would do.

    are there any system logs I could check out?
    Yes, check event viewer for evidence of tampering

    Also, is there any tracing software I could use to track this type of thing in the future and are there ways around this?
    You can install tripwire and/or a number of other third party apps to verify system integrity but it all boils down to implementing good security practices from the start. This site has *tons* of threads on this so take a few minutes to cruise the MS security boards and you'll find everything that you need.

    Hope this helps.
    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    There's also a very simple solution to this. Just slam the door shut by installing a (personal) firewall. Then run a good trojan/virus scanner to make sure your system is clean.

    Now sit back and enjoy all the warnings your firewall will generate
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    I`m with theHorse on this one, you need to provide some more information about whats going on to make you think you are being (or have been) hacked.

    Some additonal questions
    1) Do you have antivirus software installed?
    2) Opened any strange email attachments lately?
    3) Do you patch your system regulalry?
    4) what is your network setup?

    And any other info you can provide.

    Also, as SirDice stated, get a personal firewall, although this will not solve all your security problems, but it will protect you from the majority of attackers. I`d recommend Sygate, but thats just my personal preference.
    Quis custodiet ipsos custodes

  6. #6
    Junior Member
    Join Date
    Jun 2003
    Posts
    3

    Unhappy

    Basically I was in a chat room talking to I guy whom I vaguely know and he was boosting about being a pretty good hacker (or "l337" as he said). I've always been kind of interested in this sort of thing and so when he offered to send me a file with some information in I agreed. A bit later (while still on the internet) I tried to open a document in a shared folder but a message said that that document was in use. When I tried about five seconds later, however, and it opened fine. I didn't think too much about it (weird stuff happens like that all the time, right?) until I had had a look at the file he sent me which talked about ways to hack using the NetBIOS from DOS. (Basically it was C:\ > nbtstat –a xxx.xxx.xxx.xxx, C:\ > net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"", C:\ > net view \\xxx.xxx.xxx.xxx, C:\ > net use k: \\ xxx.xxx.xxx.xxx\sharedfile where xxxetc is the IP address.) Being quite paranoid I did some research on the web and apparently you can trace someone's IP address by their downloading something from you in a chat-room (rather than getting the IP address of the mail server). Also I tried net view on my own IP address and it said my username followed by <20> which apparently means its hackable. I've realised ways to stop this from happening in the future by stopping file and print sharing (now <20> doesn't appear), using the WinXP Firewall (is this any good?) not sharing any of my folders/files/disks, and editing the registry to stop it.

    The reason I want to know if I've been hacked is that I don't want to accuse this guy if its just my over-paranoia. It would be quite embarassing as he is normally quite nice. So is there any way I can track his (alleged) use on my computer (you say check the Event Viewer for evidence of tampering but I'm not really sure how to do this).

    (Sorry its so long, the reason I didn't put it in the first post as I thought no one would bother to read it.)


    Thanks again.

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    well anyone boasting about being "31337" probably isn`t anything of the sort... but moving on... The commands you mention are standard NT commands that can provide info on shares, users, etc...basically enumeration information. Now if you are connected to the Net without a firewall and have NetBios running then yes, these could be used against you. A password still needs to be obtained (and hopefully you don`t have a blank password).

    As far as I am aware yes your IP address could be obtained via a download. So he may well have tried some of this stuff against you, lock your box down now with a personal firewall which will stop any future abuse and try and run a vulnerability scanner against your box (see pluto, Leviathan, and Ceberus for free Windows ones).

    Run a virus scan to make sure you haven`t been trojaned. Check any event logs you have, and take all the other steps mentioned here.

    oh, and to check event viewer on XP click Start/Settings/Control Panel/ Administrative tools, and Event Viewer
    Quis custodiet ipsos custodes

  8. #8
    Junior Member
    Join Date
    Jun 2003
    Posts
    3
    I do have a password but apparently that's no protection (run PQWAQ then C:\> net use \\ipaddress\ipc$ "password" /user:administrator).

    Also I completely agree about securing my system and have now locked down my system I think quite effectively (although it took a suspected hack to encourage me to get around to doing it :-) ).

    I was just wondering how to see if I have been hacked; how would Event Viewer have changed for the time of the attack and what possible ways could the hacker have used to change Event Viewer back (or anything else to stop my finding out about it).

    I really appreciate the input, thanks a lot.

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I do have a password but apparently that's no protection (run PQWAQ then C:\> net use \\ipaddress\ipc$ "password" /user:administrator).
    In order for a remote user to map to your box via command line interface, they'd have to:
    1) Know that you have an account named administrator
    2) Know the local password for that account
    3) Know that you are allowing NetBIOS shares

    To check Event Viewer, just go to START>CONTROL PANEL>ADMIN TOOLS Then choose Event Viewer.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    2792: U don't have many options now. Do as R0n1n says:
    Run a virus scan to make sure you haven`t been trojaned. Check any event logs you have, and take all the other steps mentioned here
    I'll be a bit more pessimistic than R0n1n new virii and malicious code appear every days quicker than anti-virii update. So there is no way to b 100% sure!

    But for future here comes a tip: FIDS (File System Intrusion Detection System) will take a kinda fingerprint of your file system and will compare it after changes. Such system will log u some info like what changes and their potentiality of danger.
    Of course in order to b efficient you'll have to b disciplined and lok at ur logs periodically. If sm1 take the hand on ur puter, and then detect the FIDS it will delete the log that could comprimise its successful attack.

    check out http://www.gfisoftware.com/
    [shadow] SHARING KNOWLEDGE[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •