Results 1 to 8 of 8

Thread: netstat??

  1. #1
    Junior Member
    Join Date
    Dec 2003
    Posts
    3

    Cool netstat??

    I have been recently hacked- I think by a netspy trojan-I have three computers on a wired microsoft router,hooked into comcast broadband cable. The system originally had Norton 2002 which hadn't been updated for sometime.

    The hacker gained complete control of my system, but seems to want to use the broadband capability rather than to shut me down.

    The router management tool gives me status on current IP addresses for the three computers, the gateway to the WAN, and the current WAN IP.

    When I run netstat there is an additional IP listed as local to my LAN wtih an established link to a foriegn IP which happens to be the router NAT IP for one of my computers.

    So I went into Norton internet security 2003 (recently added) and set the firewall to block a range of IPs around this local IP that I dont recognise-you guessed it, this prevented me from accessing the Web. I removed the block and pinged the address-it came back with 0ms delay and a message saying that the address was part of my LAN.

    Am I missing something or is this guy still controlling things ? I'm running XP Pro.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: netstat??

    Originally posted here by protopip
    The hacker gained complete control of my system, but seems to want to use the broadband capability rather than to shut me down.
    Well this is usually the case. Your machine has probably been turned into a warez monkey, a DDoS zombie and/or a spam relay.

    Either case to be totally sure s/he didn't leave any backdoors you will have to backup your data and reinstall from original media.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Dec 2003
    Posts
    3
    I was just lookig at my setting for local security policies under XP and found some stange settings re access from remote computers and found access rights for *s-1-5-21-1614895754-152049171-854245398-1002 on (mycomputer name)%1 ie %1 was added to my computer name. Do you recognise the format of this number

  4. #4
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    That means a new user was added(or more rights were assigned to an existing user), you should check computer management or run "net user" from the command prompt to view your current users. Also with the final number being 1002, it doesnt' seem to be an administrative account.

    run "net user /delete <username>" to get rid of the new user

    hope this helps
    The command completed successfully.


    \"They drew first blood not me.\"

  5. #5
    Junior Member
    Join Date
    Dec 2003
    Posts
    3
    Thanks I'll give it a try- I think tho that I better understand the tunneling and pseudo interface stuff- apparently I have ipv6 installed which provides these features transparently. I'm still sure I was hacked, but it may have been a less persistant assault than I thought. Its amazing how paranoid you can get!!

  6. #6
    Banned
    Join Date
    Oct 2003
    Posts
    68
    Yet it's better to be safe then sorry..
    What if this person was using your box to do illegal activity's with??
    You'd be the one whom get's busted not the person who's using your Box as cover So to speak..
    I'd disconnect from the net, format, then reinstall everything from scratch, that's the only sure way of knowing that you got rid of any future attacks through back doors or any other malicious programs..

    cheers
    Stacy

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    protopip: That number is called a SID and it's this number that windows uses to identify a user. The SID is automaticly generated when you create an account.

    br_fusion : I'm sure you mean THE administrator account (renamed or not) which always ends with 500. There is no way to tell if that users account is a member of the administrators group by looking at the SID.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724

    Re: Re: netstat??

    Originally posted here by SirDice
    Well this is usually the case. Your machine has probably been turned into a warez monkey, a DDoS zombie and/or a spam relay.

    Either case to be totally sure s/he didn't leave any backdoors you will have to backup your data and reinstall from original media.

    This couldnt be more true. Other than the headache of having your bandwidth and cpu gobbled up, this could quite easily get you blocked from a great deal of networks. This becomes a real headache if you have a static ip. At my NOC office I personally block around 2-3000 spam relay bots a day. They call in here asking why they cant hit our inmail, we have to tell them to get secure and call us back.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •