Results 1 to 10 of 10

Thread: was i hacked

  1. #1
    Junior Member
    Join Date
    Nov 2001

    was i hacked

    well I just recieved an instant message by someone who claimed to be a member. I talk to him for a few minutes and then proceded on with things. Started playing a game online and it was really laggy. Got suspicious so I then ran a check...

    went to ms-dos typed in netstat -an
    came up with syn request from ip 172.xx.184.1 - 172.xx.184.254

    then typed netstat -r

    with 3 established ports
    looked like this

    foreign address
    172.xx.134.54 syn sent
    172.xx.134.55 syn sent
    172.xx.134.56 syn sent
    172.xx.134.57 syn sent
    172.xx.134.58 syn sent 13784 established 5190 established established
    172.xx.134.116 syn sent
    172.xx.134.5 syn sent
    172.xx.134.6 syn sent
    172.xx.134.7 syn sent
    172.xx.134.8 syn sent

    it seems to me that this is a scan on my port look like it was succesful. Am i correct and how do i fix and defend. Please help me out. P3psi is a virus I believe. Where can i find it if it has been executed as i am sure it will be well hidden

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Seattle, WA
    It looks to me as if you're being stealth-scanned. In other words, just a slightly tricky way for them to portscan you normally...

    Er, wait... If it was a half-scan, wouldn't it show 'ACK sent', since it is Syn-Ack-Syn? Anyone else want to elaborate on what netstat is trying to say here? I've hardly ever had non-established or non-listening states pop up.

    Did it say what port was at? Are you sure you weren't just browsing a page there or something? I would suggest getting either The Cleaner from or Tauscan from , both trojan scanners and removers. I've never heard of a 'p3psi' trojan, though.
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Er, wait... If it was a half-scan, wouldn't it show 'ACK sent', since it is Syn-Ack-Syn? Anyone else want to elaborate on what netstat is trying to say here? I've hardly ever had non-established or non-listening states pop up.
    I don't really know much about scanning people for vulnerabilities, but if I remember my tcp/ip correctly an ack will only be sent from a listening port. Non-listening ports will respond with a rst, though I don't think you'll see either activity from netstat.

    I have no idea how they got the output they posted by using the -r switch, that just displays the routing table.

    pepsi is a udp flooder, never heard of p3psi.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Get a firewall !

    If you want more detailed info about these things, some kind of Intrusion Detection System would maybe help, though most firewalls log *everything* thrown at them!
    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)

  5. #5
    Join Date
    Oct 2001
    foreign address syn sent <--- is an internal network address syn sent syn sent syn sent syn sent 13784 established <---your chat buddy 5190 established <----AOL Instant Messanger established <---looks like a machine name syn sent syn sent syn sent syn sent syn sent

    agree, get a good little firewall like Tiny Personal Firewall (if windows user).

  6. #6
    psi0nic is right
    sometimes after talking on Icq/AIM the ip of the person will show up when you run netstat.

  7. #7
    Senior Member
    Join Date
    Sep 2001
    If you are playing an online game than those other adresses would probably be the other players that you are playing against.
    Are you running a firewall?
    [gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]

  8. #8
    Did you direct connect to your AIM buddy? He/She may have been spoofing bombnet; in which case his/her IP would show up in a netstat ( if he/she were spoofing), although I don't know what is.

  9. #9
    Junior Member
    Join Date
    Nov 2001
    Well, I put up a firewall. Upon which I recived a waring message that a progam called MIRC32.exe was attempting to act a server.
    I proceded to dissconnect and lock the port.
    Now the problem is that when I dissable the firewall, the program reattempts to establish the connection. So i searched for the Program....Once i found windows as a file, with no directory extensions, i tried to delete it. Said it was currently being used. So i entered the editreg command under run and tried to find it. I am really not that familiar with the reg (something i am currently reading up on ). I read the readme file hidden on the program and it specifies connection to certain ports not sure exactly....I think it was 6190 and 34720 or something like that the ones that netscan picked up. It also talked about transfering files....i will post that readme later tonight...i am at work now.

    Anyone one with some real knowledge of the all so famous reg please lend me a hand on figuring out what this program is and where it is hidden....
    One more hint the things executes, or should i say pops up when i soon as windows loads up there it is, and then its gone, as though its told to load, attempt to establish a connection, and then dissapear. Probably a bad attempt by somebody to write their own code, and is not written correctly to remain completley hidden....
    thanks again

  10. #10
    Senior Member
    Join Date
    Jul 2001
    Mirc is a windows based IRC client. Unless you are using Mirc (or have even downloaded it) it shouldn't be popping up as trying to connect. If you have never installed it and aren't using it at the time it tries to connect, it sounds like it could be a trojan (subseven maybe) masquerading as Mirc. Get the cleaner as Terr suggested and run it. Good luck.

    Happy Hacking
    Warfare is the Way of deception.
    -Sun Tzu \"The Art of War\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts