Results 1 to 10 of 10

Thread: I am HACKED! Help Me Please!

  1. #1

    Angry I am HACKED! Help Me Please!

    I noticed that my McAfee Firewall was behaving in suspicious manner. Then I scanned my PC with Norton AntiVirus & Trojan was found & deleted. I can't remember the name of the trojan. Later, same thing happened and a trojan was found & deleted. I also use Spybot Search & Destroy and it found no Trojan.

    I scanned my ports at Sygate & GRC & the reports say that all the ports are stealthed or blocked.

    I suspect I am hacked while in the chat room as someone that I don't know always IM me through Yahoo Messenger whenever I am online whether I sign on YM or use Yahoo DHTML chat.

    Later, I uninstall my McAfee firewall as it does not behave like the first time I install it. Eg. : There are many programs continuously asking for permission to connect whenever I log in to my PC even though I have granted permission in the past.

    I installed Zone Alarm Pro trial version & scan my posts at Sygate again & all been blocled except UDP san which say:




    We have determined that you do not have any firewall blocking UDP ports!

    Your system ports are now being scanned and the results will be returned shortly...
    Note: this may take up to one minute on some ports!

    Results from UDP scan of commonly used ports at IP address:

    Service Ports Status Additional Information
    FTP DATA 20 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    FTP 21 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    SSH 22 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    TELNET 23 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    SMTP 25 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    DNS 53 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    DCC 59 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    DHCP SERVER 67 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    FINGER 79 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    WEB 80 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    POP3 110 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    SUNRPC 111 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    IDENT 113 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    Location Service 135 OPEN Microsoft relies upon DCE Locator service (RPC) to remotely manage services like DHCP server, DNS server and WINS server.
    NetBIOS-NS 137 OPEN Windows/Samba file and print sharing.

    NetBIOS-DGM 138 OPEN Windows/Samba file and print sharing.

    NetBIOS 139 OPEN NetBios is used to share files through your Network Neighborhood. If you are connected to the internet with this open, you could be sharing your whole hard drive with the world! This is a very dangerous port to have open.

    HTTPS 443 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Server Message Block 445 OPEN In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT.

    SOCKS PROXY 1080 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    UPnP 1900 OPEN This is the port used by Universal Plug and Play (UPnP). If this port is open anyone on the Internet may be able to

    WEB PROXY 8080 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Results from UDP scan of commonly used trojans at IP address:
    Service Ports Status Possible Trojan

    Trojan 6776 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Trojan 12345 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Trojan 20034 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Trojan 31337 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Trojan 54320 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    Trojan 54321 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

    You are not fully protected:
    We have detected that some of our probes connected with your computer.






    What must I do? In the past there is no result for Trojan whenever I scanned my PC at http://scan.sygate.com

    I am too lazy to reformat my PC again. Should I uninstall Zone Alarm and use other firewall?

    How to close all those ports? I have disable NetBios in Win XP but it still shows open.


    Thanks for taking the time to answer my questions.

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Well I am not sure what you have for an internet connection but if you are on dsl/cable and you have a router you can always forward them to a non-exisitant ip on your lan. I would not recommend uninstalling ZA it is a lot better than that McAfee crap. Personally it does not sound like you were hacked to me. If not you can setup ZA to block those ports under firewall...expert settings. If you still think you have a virus or trojan youc an try www.pandasoftware.com/activescan thats a good online a/v scanner. Good Luck.

  3. #3
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    I have disable NetBios in Win XP but it still shows open
    if thats the case you haven't closed netBIOS - how do you think you closed netBIOS?

    ok... a little more info is needed - what trojan was found?

    re: mcafee .. software firewalls normally ask for permissions again if one of the components of the requesting program has changed e.g. by updating to a new version. Done that recently? If you uninstalled mcafee you may have removed the firewall permissions - hence the program asking again

    re: running ZA.... are you running it at the medium settings to access the net? If so you should put them at high.

    If you can't get ZA to shut off those ports - I don't think another firewall will help you much ZA is easy to use... other firewalls I could mention might give you better control... but I don't think that will help you at the moment

    and is 219.95.174.56 really your IP address... cos according to ARIN its part of Asia Pacific Network Information Centre in Oz.......

    as for closing down the other ports... sounds to me like you have a lot of unecessary services running - might want to try turning some of them off... have you looked over at Black vipers pages - you might find them useful

    Z
    Quis Custodiet Ipsos Custodes

  4. #4
    Sorry! I simply created the IP address...I didn't know that it belongs to someone.

    I will delete it

  5. #5
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Shakira,

    There could be other explanations for the person IMing you. Some of the previous threads have discussed this topic. You can always create another account and see if the person IM's you. If he does, then there are many possibilities with cures listed in the threads.


    Looks like you have some other things going on here. In the recent past we have had several people mixing different types of Firewalls and also AV’s, and they were experiencing problems because the different products were not compatible. If that's the case, just remember so don't mix to well and you probably should pick one.

    So if you have the Trojans cleaned out, it looks like one of the first issues you need to resolve is to insure that you can control what enters your computer and also just as important what leaves your computer. The opinions about firewalls will vary, pick a reputable one that is fairly easy to configure and get it to working and keep it updated. You can do a search here at Antionline and get some great insight on firewalls and that should help you select one. I prefer those that do not respond to inquires, pings etc. After you have it installed go as you have done in the past to one of the sites like Sygate or GRC and have them probe your computer again. Their probes are no guarantee that some one can’t get in to your computer, but they are a good indication of where the average internet user stands in relation to common ports open/closed etc.

    The probes should also tell you whether file/print sharing is enabled. That can be a real hazard! The help files with your OS should tell you how to disable sharing.

    UPnP. Interestingly enough that was one of the first XP exploits identified. As with any service, etc., if you don’t need it while you are online, shut it off. GRC has a quick and painless fix for the UPnP.

    Might want to also search Antionline and google for Trojans removers. There’s tons of info on them as well.

    AV. Same as Firewalls. Pick a reputable one and keep it updated. There is also many great threads written on that subject as well. I happen to have one that is on all the time. It can slow down loading loading of web pages etc., but it already has stopped two attempts to induce a virus on the system.

    Hope this helps


    cheers

  6. #6
    Originally posted here by Zonewalker


    if thats the case you haven't closed netBIOS - how do you think you closed netBIOS?

    Umm, from what i remember the netbios port will still showup on a netstat but can be totaly disabled:


    there are few steps that you can take to turn off netbios:
    1) go to your NIC's properties and disable file/print sharing and netbios over TCP/IP and IPX
    2) goto control panel->network connections->advanced->adv settings. under the "adapters and bindings" tab, disable "file/print sharing" ... i can't rember if you computer needs M$ client or not, so dont turn that off.

    even if you do all that, the port will still show up on a netstat -a, but it will be inactive and unresponsive and will evade scans.

    sources:
    Hacking Exposed
    http://www.securiteam.com/windowsntf...E5PUR5QAY.html

  7. #7
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    Umm, from what i remember the netbios port will still showup on a netstat but can be totaly disabled
    tempest - if its closed it shouldn't show up on netstat -a (at least on XP it won't) - sure you don't mean nmap? Anyway closed isn't the same as blocked - neither is it the same as open - on the sygate scan report of shakira's the netBIOS ports are quite clearly listed as open - with no firewall and with netBIOS turned off they should be listed as being closed - with a firewall they should not respond at all (assuming the firewall is doing its job). Clearly this isn't the case hence me saying she hasn't closed netBIOS - that's why I wanted to know what she had done so we can help a little better

    shakira when you say you created the IP address in the report - do you mean you typed it in to cover your real IP from us? It's not a problem but replacing your real IP with a fake one just confuses the issue. If you want to hide your IP its usually better to over type the numbers with 'x' - that way we all know what you mean

    Z
    Quis Custodiet Ipsos Custodes

  8. #8
    well,

    i disabled everything on my NIC's prop and went to adv and unbinded netbios and 135 and 445 still show up...

    see attached picture.

    I dont know, but maybe i am thinking of nmap.

  9. #9
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    if your on windowsxp you may want to disable system restore too
    or am I off on that suggestion
    When death sleeps it dreams of you...

  10. #10
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    tempest - port 135 is the DCE endpoint resolution and 445 (both TCP and UDP ports) is for CIFS. It kind of is and kind of isn't netBIOS so I can semi agree with you - bit difficult to explain in any short terms so....

    this place should explain CIFS a little better
    - basically (as I understand it) CIFS is an updated version of SMB that does not require netBIOS. I might have understood that wrongly so - feel free to correct me.

    port 135 does deal with netBIOS yes I'll give you that but it does deal with other related transport too e.g. RPC DCOM... so it's not just for netBIOS traffic - hence the reason why its still shown on netstat if you close netBIOS

    so - I can see what you're point of view is and I do semi agree with you - but port 139 is the main one for netBIOS - as you can see from shakira's sygate log, port 139 is still wide open - hence I still say my original point stands - she hasn't closed netBIOS, or at least hadn't when she did this scan.

    Z
    Quis Custodiet Ipsos Custodes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •