Results 1 to 10 of 10

Thread: need some guidance

  1. #1
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121

    need some guidance

    hi guys im having some trouble networking/security. i think it may be a virus but i have no idea. i really just need some guidance on this one, its a new one for me.

    ill describe my set up before i pose my problem and questions
    i am running a laptop with windows xp and slackware. windows xp is my main os for the moment and is completely updated at almost all times. i do have my documents shared on my LAN, probably my only security risk, but being that im not wireless anymore i dont have to worry about it (i had some wireless security, getting new router with more). i dont use slackware that much so i highly doubt that has anything to do with my problem.
    i use avast free edition (i will be subscribing soon) antivirus and update before every scan and it auto updates every 240 mins. i have ZA (free but i may pay) for a firewall, never had any problems with it, its caught everything thats come up. for antspyware i use adaware as a scanner (not real time since its free, will probably subscribe to spyware Dr. after some testing) and microsoft's antispyware as real time. they are both on autoupdate and i update ad-aware before scans. in looking for my problem i started my computer in safe mode with networking last night and did an online scan for viruses from symantic and trend micro's house call. i also used avast and adaware. nothing on any scans except for a few tracker cookies by adaware and an exploit that doesnt really affect me from trend micro.
    my router (wireless hardware burnt out, no one can get a signal, hard lines fine though) has a firewall built in and my ISP filters all packets to me that are intended for servers on my ip (supposedly for security, probably just to ensure i pay for a static IP if i wanna serve). i also connect to my schools LAN for classes (comp. sci.), research, print etc. im TA for the IT and i do a lot of work for him so he tells me everything going on in the school. recently he said he thought one of the servers had a virus so that may or may not be related.
    real quick on what i use my comp for, Mozilla Thunderbird (gmail) -email (40-50 a day mostly security and computer related emails also some mocktrial) trillian, and hydra irc. lots of word and a lot of music (WMP, need something else) and tons of internet.
    i think thats all the info you'll need.

    now for my problem and questions
    there were multiple blocked attempts (by ZA, in my log which is here ) from my computer trying to connect to other comps on my subnet. must of the attempts are to common ports (139, netbios and 445, SMB over TCP usually shares) and ips that arent shown on my router as being attached. this is obviously a problem. i couldnt find out what program had tried to send the packets. it hasnt continued since then but other problems have arrived. all of these turned out to be unrelated except for one. whenever i plugged into a LAN (yesterday) i couldnt get an ip, my comp would recieve packets fine, but it wasnt sending, so obviously i got no ip, when i told it to repair connection, it said it couldnt because it didnt have an ip. it is fine now (only thing i did was safe mode networking)

    so heres my questions,
    whats going on?
    when looking for an ip, dont i send out broadcast packets looking for a DHCP server?
    is that a virus/spyware/malware sending out those packets (and what is flag s?), or have i been hacked ? (highly, highly doubt its legit. programs)
    if i have more questions ill post, i think thats it for now, thanks for reading my rediculously long post (sorry about that).
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    i think that you was not hacked.... but .....

    IP must stay alive and updated about network conditions it is becouse it sending packets and reserving when you not using network.

    In zonealarm you can also se what program that connecton to the internet
    // too far away outside of limit

  3. #3
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    Mr. Babis-
    i dont think i understand your post, sorry
    Originally posted here by MrBabis
    i think that you was not hacked.... but .....

    IP must stay alive and updated about network conditions it is becouse it sending packets and reserving when you not using network.

    In zonealarm you can also se what program that connecton to the internet

    2nd section, im not sending packets because im not using the network?
    im trying to connect to the network, not connected yet, i dont think i understood you
    3rd section, in the log i posted?
    i posted the log, nothing under the program category
    here it is again in case you couldnt see it in all that other text
    huh, just noticed i should have edited out the source DNS, oops

    thnx for the help/post
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    You probably could have continued this under your other post has my router been hacked? because it seems to be all related.

    Anyway, have a look at OnLamp.com Filtering IDS Packets see if that answers your question about the s flag.

    BTW, since your wireless router is fried anyway, did you turn off the wireless card in your computer or let it run, just not connected to anything?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    Source: http://homepage.ntlworld.com/robin.d.../security.html

    Ports 137 (nbname), 138 (nbdatagram) and 139 (nbsession) belong to the NetBIOS transport protocol upon which Microsoft networking is based. Windows 2000/XP also use port 445 (microsoft-ds) for Microsoft networking without NetBIOS. These open ports are therefore to be expected on a Windows system. Any others need to be checked out to see whether they are legitimate or not. For instance, it is characteristic of infection with trojan horses such as Back Orifice or SubSeven that they open a port, waiting for some script kiddie to come by, detect the open port, and use the port to perform some malevolent act on your PC. However, it does take some experience to tell the difference between a legitimately open port and one which is the result of a hostile resident trojan horse. For this reason, it is advisable to have a good virus-checking program scan your entire system from time to time, checking for trojan horse infections. It is essential that you keep your virus-scanner up to date, with virus definition updates being applied at monthly intervals or more frequently. You need an anti-virus system more than you need a firewall.

    In the meantime, ports 137-139 and 445 themselves are a security vulnerability if the user has file-sharing or printer-sharing turned on, and many users are unaware whether they have these services turned on or not. Assuming that you do not actually want to share your hard disk or printers with other PCs on the global internet, a Windows 9x/ME user can turn these services off as follows: .....
    // too far away outside of limit

  6. #6
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    iknownot: wireless card is disabled, and ya i probably could have continued there but it would have been confusing i think and the way i layed out the first post and asked my question was poor. i think it was also posted in a poor spot, not really wireless security at all (though at the time i didnt know that)
    mr. babis:
    still not sure what your point is, but im sure ill figure it out sooner or later
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Go here and do an online scan:

    http://www.pandasoftware.com/products/ActiveScan.htm

    It'll pick up spyware and virii.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    One more thing: you'll need to run the scan via Internet Explorer.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  9. #9
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Do you have other PC's on a LAN? What are their IP's? If these IP address are on the same subnet I woul run ethereal and sniff these packets and you would probably see that these are part of the normal communications between windows boxes. For example if you have a Server on this subnet you would see that a lot of packets that broadccast around are for electing master browser and finding out who is on that segment. Also read MrBabis post for these ports it gives good info. Hope this helps.

  10. #10
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    as i said in my first post, none of the ips mentioned are actually attached to my network (router does not list them as attached). further, i only use ips 1-20, the ip's in the log are all well above that range. i highly doubt that it is in fact legitimate. once again, the fact that there is no process listed in the log specifying what program sent the packets implies to me again that it is illegitimate.
    brokencrow: thanks, ill try it some time
    i may give up on this one. i havent had any more problems (nothing in logs). if it starts up again ill start up the investigation again, but i think im set. but if anyone has anymore ideas, let me know.
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •