Possibly Hacked?

Im not sure if I was, but this morning I start up trillian and notice someone who uses bsdmail wants to talk to me on msn, so i accept it and he isnt there. Yesterday I was having big problems with the system, lag in internet, lag in system which may have lagged IE. So now Im looking at my incoming acces logfrom linksys and some higher ports have been logged from what looks like roadrunner IP. Heres some of the ports and what not.

61.111.1.99 17300
64.156.39.12 1026
202.108.249.21 1434
194.117.3.34 111
64.158.165.60 1434
64.156.220.155 1434
64.156.39.12 1026
216.41.60.143 1433
140.99.186.4 1108
68.23.127.182 27374
203.136.81.13 1434
66.52.249.70 1026
64.159.93.121 1434
211.151.23.229 1434
209.179.53.43 1434
65.128.200.132 27374
63.205.136.107 3077
192.38.233.143 443
67.169.110.132 27374
216.40.246.25 1377
81.130.125.49 1434
65.59.191.77 1434
217.234.87.103 1433
208.172.64.135 1206
64.74.136.173 12380
64.74.136.18 31071
64.74.136.20 12848
64.74.136.183 23597
64.74.136.74 23603
64.74.136.134 12848
69.25.16.25 23603
64.74.136.125 11569
64.74.136.185 28261
64.74.136.179 14428
64.74.136.133 23653
64.74.136.21 25965
69.25.16.146 12380
69.25.16.88 11569
69.25.16.222 12595
64.74.136.127 24927
64.74.136.152 31071
69.25.17.217 25965
64.74.136.165 28261
64.74.136.45 25965
64.74.136.47 14428
69.25.16.123 12380
69.25.18.23 23600
69.25.16.8 24927
69.25.17.88 24370
69.25.19.129 12380
69.25.18.209 27497
69.25.17.182 29744
69.25.17.100 25965
69.25.16.136 23653
69.25.16.15 11570
69.25.16.178 28530
69.25.17.209 12380
69.25.16.12 12380
69.25.16.225 28261
64.74.136.150 26977
64.74.136.147 25951
62.212.83.156 13404
69.25.16.14 31081
64.74.136.128 31071
69.25.17.158 12380
64.74.138.238 13104
69.25.16.11 23601
64.74.136.175 13108
69.25.16.188 13148
69.25.17.92 13916

Look suspicious? Thanks

When in doubt, I always "SCAN"......I would certainly start the computer in safe mode, and scan with the AV (ensuring it's updated with the latest definitions), Spybot and Ad-aware. If you can, let me know what you find...

Norton did its weekly thing friday and everything was AOK, and I never disable it. Im scanning with ad-aware now.

Spybot search and destroy seems to work faster and better for me. You can grab it at download.com. It's also free. I used to use ad-aware (still very cool) until I found this app.

http://www.iana.org/assignments/port-numbers
Port listing for just about every app you can think of.

I'm going to go out on a limb, since your syslog IMHO is fairly worthless. Several of the ports come back as trojans, worms, and viruses.

Would I fall off the limb if I told you to get rid of kazaa, or whatever p2p software you are using? Some versions of kazaa appear to be infected, but I never have figured out if they actually were.

If your antivirus isn't picking up anything, get a second opinion.

ooh, nobody said anything about a firewall yet? firewalls help a lot, this way you would know what application/service those IP(s) were attemtping to connect to...

lol....I figured that went without saying (my bad) :)

Well I didnt have a firewall up :p, figured the router would cover me good. But I have blackice now and just got the basic probes

All the scans showed up negative.

Something I didnt tell you: When the computer was laggy norton wasnt autoloading and the option for ti to be loaded was off along with email, reading error

ok, what scans showed up negative?

At the risk of being redundant....did you make sure all definitions for your spy killers were updated?

Did you try with another AV scanner? It sounds like your Norton may be sick... there was a rumored exploit some time back that was rumored to erase some of Norton's files. I don't know if it is true or not. If you have worms and virii, which, going by the ports you listed above, your spy killers won't get them anyway.

Also, once you think you have your firewall working, go to the following link:
https://grc.com

Run the shield's up probe for common ports. Tweak your firewall, then run again.

All programs are up to date with definitions. The scans were antivirus and adaware. Going to test firewall now.

I always let a scan me, and then get the results...

Choose someone who can NMAP you. Thats the best scanner IMO.
I'll nmap you if you want ;) , get up on irc ( irc.shrekkie.com).

Cheers,

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.



Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)



Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

Ad-aware is a great program i use it alot if all else fails make sure if your using the newer version to customize your settings there are a couple tweaks that help me find alot of more spyware just an idea.....there is also a free version of kazaa if you use it named kazzalite which doesnt have the spyware.

hi strandedthinker,

you are in what I would describe as "semi-promiscuous mode" at the moment...........and before any of my fellow AO perverts get too excited...........I mean that you are visible on the net, and open to all sorts of attacks. You need to tune your firewall not to respond to probes.

I do not know what you have, but even the free ZoneAlarm set to high security will make a better job.

You must do your AV and malware scans after booting in SafeMode........the malware can "defend itself" these days.

Keep us posted

Cheers

nihil is right,

First turn off your ping replies, cause lots of people out there do large ping sweeps, and select those nicely, lively machines like yours to do some more deep scans.
Letting your box drop ping request is the first step to a more secure system.

Greetz,

how? lol

Reading through these posts again, I noticed you never said what OS you are using. Techniques vary, depending on what you run on your box.

In general (with your firewall), it is best to block everything , then allow things as you need them. I'm not familiar with Blackice, but it seems to me (from other users) that it is not the most user friendly.

A note about your logs....depending on how you have them set, you'll probably see a lot of traffic...I would wager that 99% is probably normal.

Also, did you run a second antivirus scan? Adaware and Spybot DO NOT remove worms and trojans. Nihil had a link for an Australian company that has a nice trojan scanner, and a registry protector. Search through links he has been avtive in, and I wager you will find the link.

Cheers