Question- was I hacked?

Hello!

I am new here and I was wondering if someone could give me some help.
I have Norten Internet security 2003 running on windows XP and recently when I took a look at my Norten Internet Security log file, I noticed this whenever I boot up:

-Rule "Block Windows File Sharing" blocked communication. Local address: Forensics(169.254.240.228)(netbios-ssn(139))
Process name is "System"

I never noticed this message before and that is definitely not my IP address.
I also noticed that my computer would automatically shut down for no reason whatsoever whenever I'm on the internet. It has happened about 3 times in the last 2 weeks or so, most recently today.

I scanned my entire computer with Norton antivirus today but it found nothing.
Can anyone help explain what's going on? Should I be alarmed by this?

I've also been getting a lot of these message popping up on my Norton Internet Security:

-Rule "Default Block Microsoft Windows 2000 SMB" stealthed (203.198.103.164,microsoft-ds(445))
Inbound TCP connection
Local address,service is (0.0.0.0,microsoft-ds(445))
Remote address,service is (203.198.103.164,32801)
Process name is "System"

Whenever that occurred, I would just copy the IP address and put them under the "restricted" section with Norton Firewall which prevents any type of communication with that IP address and my computer.
But it's been happening a lot lately. Should I be alarmed?

I'd appreciate any help!

I would not worry about the 169.x.x.x traffic on boot, it sounds like typical behavior. I am assuming that you are on dialup, or dsl, and have to actually dial out to connect to the internet, which means when you boot your machine recieves no ip address for that interface, and uses a linklocal address 169.x.x.x. Then windows attempts to talk to itself and ends up sending traffic to that address for some reason. Norton can probably be configured to ignore that if you want, without much danger, as the 169.x.x.x addresses are not internet routeable(although someone could send traffic TO your machine FROM that address, assuming there are lots and lots of misconfigured routers between them and you, they would never recieve the responses though.

As far as shutting down while you are on the internet, I would be a bit concerned about this, but, there are so many likely causes that I would think first about other things than a hacker. I have no suggestions though for a fix. Is there any other strange behavior like this. Also, are there any unusual firewall log entries about the time this happens?

As for all those other connections, those look fairly innocuos as well. Sure some machine is attempting to connect to yours for some reason, either due to misconfiguration or intent on the users part, but norton is doing what it is supposed to do, alert you and block the connection if you desire. I would not worry to much about it. Make a mental note of it when it happens, perhaps add it to the always drop list. Of course make sure you keep an eye on your logs etc.

I really appreciate your reply!
Thanks for the info!

even though your fire wall is doing its job unless you have need of it it would be prudent to remove file and print sharing. firewall have be known to crash on their own or from DoS Attacks meant to accomplish this and even though your FW may have all the latest patches and fixs you never know when a new one will come out.

Although I have a printer attached to my computer I have no need to share files.
How would you recommend I disable file sharing? Would it be through the firewall or through
the general control panel?

Sorry, I am new at this sort of thing. I would greatly appreciate any instructions you could offer me.

Disable it through the Control Panel.

Go to your network settings and not only unselect file and printer sharing but remove it from your hard drive.

Ideally you want to disable file/print sharing if possible and/or remove from control panel (under network), and also block it in the firewall. I am not familiar with Norton Firewall (I use Outpost) but you may want to set it up to log connection attempts to that port just so you can see if anything is going on. But 169.xxx.xxx.xxx is Microsoft's IP address when the machine can't get an IP from a DHCP server.

Thanks to everyone for all your helpful information!

The request to port 445 could have been the deloder worm stumbling accross your IP and decided to give it a try to to see if you have a weak admin password. But the firewall did its job... Just for anyone else that stumbles accross this post if you are using windows your administrator password should not be one of the following:

'(empty)'
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
'admin'
'Admin'
'password'
'Password'
'1'
'12'
'123'
'1234'
'12345'
'123456'
'1234567'
'12345678'
'123456789'
'654321'
'54321'
'111'
'000000'
'00000000'
'11111111'
'88888888'
'pass'
'passwd'
'database'
'abcd'
'abc123'
'oracle'
'sybase'
'123qwe'
'server'
'computer'
'Internet'"
'super'
'123asd'
'ihavenopass'
'godblessyou'
'enable'
'xp'
'2002'
'2003'
'2600'
'0'
'110'"
'111111'
'121212'
'123123'
'1234qwer'
'123abc'
'007'
'alpha'
'patrick'
'pat'
'administrator'
'root'
'sex'
'god'
'foobar'
'a'
'aaa'
'abc'
'test'
'test123'
'temp'
'temp123'
'win'
'pc'
'asdf'
'secret'
'qwer'
'yxcv'
'zxcv'
'home'
'xxx'
'owner'
'login'
'Login'
'pwd'
'pass'
'love'
'mypc'
'mypc123'
'admin123'
'pw123'
'mypass'
'mypass123'
'pw'

When a computer just shuts off by itself, it might not be due to your CPU temperature. I knew someone that had a computer that would shut off when they were on the internet due to the cpu overheating. If I were you, I would check to make sure all your fans are working properly.

Good point Yummy. That could be it with my computer overheating since it is a 3 ghz PC.
But the fans are working fine and I just bought it back in December though.
Thanks for the tip!