July 17th, 2003, 10:31 AM
Preventing future attacks\Tracing attacks
While I was online today a few of my applications/programs began to run without any action on my part. These were not normal startup applications but things like my AIM (which is disabled for startup) and Media Players. I ran a TrojanHunter quick scan which revealed suspicious activity in port 420 (peeper.120). I then disconnected from the internet and ran a full TrojanGuard and anti-virus scan which revealed nothing. The odd thing was that when I checked my network connections, on the screen under internet was an FTP connection that neither of us activated. Its listing was as follows : ftp.csie.chu.edu.tw. When I checked into this I realized that this is the address of a local computer college in my area. Under properties it says this connection was established last Wednesday (8 days ago) at 10am when neither I or my girlfriend was home.
Here are some details about my setup. Both my and my girlfriends are running XP and our computers are networked together with my computer acting as the gateway. I have Zone Alarm (free) and TroganHunter Guard activated and constantly running. I have a cable connection to the Internet that is usually active 24 hrs a day.
My questions are as follows a.) Is it possible to trace this activity and report it back to the colleges system administrator? b.) What software/hardware can I add to make my system more secure? How were they able to get into my system? Please ignore part C if you feel it is in contrast to the aims of this site. I am just starting to study security so this would be of interest to me so that I can understand it and prevent it form happening to me again.
Thanks in advance for your help!
July 17th, 2003, 10:46 AM
I'm not going to wax lyrical here, cos I'm still a n00b myself, but I'd say your first step is to check all your shares, turn off permissions for those you don't need and restrict the ones you do.
Second, make sure you have all the patches from MS installed.
Third, doublecheck that you have the latest patterns for your virus scanner. Scan again. If possible, after a clean boot with a startup disk, and from one of those online scanning places (some advanced viruses are quite successful at hiding from antivirus software).
Your last resort is to format your machine and reinstall ("...take off and nuke the site from orbit... it's the only way to be sure..." :P).
I'm sure others on here will have more information... those I believe are just the first basic steps.
July 17th, 2003, 10:47 AM
for your first question, I would definetly let the college know, to me it looks like they are using the schools network, and If i were the schools network admin I would definetly like to know if that type of thing was ging on. you may want to try obtain the IP of the person, try using nbtstat, if there is a connectio you should be able to get the IP, bu he may not actually be using the schools computers, and just routing activities through there.
for your second question you may want to check out phisical firewalls, it would be something else a person would have to get through before your comp, and maybe try other software firewalls, Im not very familiar with the one you are using so I dont know how efficent they are. also because you know hes been on your computer change your passwords, make sure you have a password set for the Administrator acount that is accesed through safemode. and check to see if he has created any new accounts of his own. Thatsall i can say for now gl and keep us updated.
July 17th, 2003, 12:52 PM
Are you running any file shareing, P2P, software? ie WinMX, KaaZZa, etc
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
July 17th, 2003, 01:41 PM
Yes, I run Kazaa Lite from time to time. I also realized that I had the file and printer share enabled for my Internet options with my Network. I went ahead and disabled that. I checked nbtstat -c and showed another IP address beginning with 61. but I dont know if that information is of any use because I havent used nbtstat before. I downloaded Trojan Remover and ran a full scan as well, but that didnt reveal anything.