Net Bios intrusion

[ol jeb]

i agree w/ AngryBob. if the system has truely been compromised....it's time to scrape and nuke..then lay down a nice fresh install.

[AngryBob]

does netstat show anything? look for high port numbers, usually thats a good indication. also, did you change all of your passwords? do that, and make sure to rename the administrator account. also look at the services your computer is running, and see if there is anything strange in there. usually if you have somehting the hackers will name it something that looks legit, so be carefull. really truly, if you cant figure it out wipe the hard drive and reinstall XP otherwise everytime something strange happens you are going to think...uhoh, its cause i got hacked. by the way, are you on DHCP or do you have a static ip?

[hass]

Hey Bob and Jeb: I didn't do a full reinstall but a friend came over and made sure every port was closed and we did a reinstall of my firewall so that got rid of the breach alerts. He eliminated everything that was suspect when he surveyed the running items in Norton's Process Viewer. He also went onto to his server through telnet to check the back trace on the ip addresses in question. They all seemed to be either Microsoft, Cablevision and Doubleclick. The only remaining clich is there is is an annonymous logon on boot up but nothing in my machine is trying to broadcast out any longer. Is there a way to identify the annonymous logon? He didn't check it out completely but he will look into this week. He is speculating it is something that XP does when the system thinks single computer is a network.
Thanks for all the good advice.

[G.Ben.M]

Hass said...
I have not idea if someone has establish incoming. I do know that this is part of the detail when I backtrace the ip( which always shows up as my cable provider).

It could be someone on your ISP (backtraces almost always show up as the ISP) or someone could be spoofing the packets.

[Euclid]

ntoskrnl.exe is the file that holds among some others possibley but i know for sure the boot screen. When you turn your computer on and it shows windows xp witht he little line moving around. You can make it show whatever you want when it boots up with a little help from Restorator. Are you the only user? could it be possible that you or someone else decided to change that boot screen to something custom? If so that is why it has been modified.

[DukArchon]

Do you by any chance have a backup of your ntoskrnl.exe? I think with XP you have a go-back feature for single files...

Or, you might be able to extract a copy of ntoskrnl from one of the XP install discs. Don't ask me which one, though. It might clear your problem...

"One day while logged on as root, I was experimenting with pipes, so I typed 'ls -l > /dev/hda'. The one thing I learned from that experiment was that I need to experiment with backing up more often "

[grobyccil]

Hi!
Try Tiny Personal Firewall to detect open ports & their apps. Is like $netstat -lnp in Linux.
You can detect some trojans, but if he/she changed the kernel, your game is over.
Good Hunting!
ByE!
Groby

[skarsatai]

Originally posted here by hass
It appears that my Sygate Personal Firewall has let in a hack that has modified my ntoskrnl.exe. I have not accepted the changes that it has made but my security log tells me it is trying to broadcast out everyday and considers it a major security breach. It is trying to go out on my UDP ports and it is using Net Bios. I have shut off printer sharing. Can anyone tell how to rid myself of the little devil.

try this tool : network monitor to check which port is open and where it wants to connect to the remote endpoint. www.leechsoftware.com

[carbonlifeform]

Re: original post...

You say you have printer sharing off, but do you also have
file-sharing turned off?