Thread: i got hacked

  1. #1
    Hamster without a wheel iain's Avatar
    Join Date
    Aug 2001
    Posts
    1,385

    i got hacked

    I was in yahoo chat the other day and i got hacked, i know it was a hck because the intruder told me what he was about to do and even though i have Zonealarm and blackice defender running he killed all instances of IE.

    Well i just downloaded a port scanner to check how vulnerable my connection is, and the only responding port was port 139 nbsession, i guess this is netbios, is this a major vulnerability?
    Monday - what a way to spend a seventh of your life

  2. #2
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    When you are in a chat... you have other ports open. Those ports can be exploited because you have already allowed access by the the yahoo chat program in your Zone alarm config... else why would you be connected at all, right. So it is most likely an exploit to the application you are running and not the netbios session. (which will give you an alarm with zone alarm if there is a connect)

    edit... also... run netstat -a while connected to the internet to see what ports you have listening or connected. You have more ports listening than 139... believe me.
    Last edited by Betazep; 01-10-2002 at 06:17 PM.
    Blue

  3. #3
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    oh and www.grc.com is a decent place to start for comp security. Not the definitive website but has interesting tools just the same
    Blue

  4. #4
    aurė entuluva! mithrandir's Avatar
    Join Date
    Aug 2001
    Posts
    1,209
    Here's an okay list of most IP port numbers, if not all. Can't remember where I got it, but here it is...

  5. #5
    Hmm...I'd suggest finding a way to get a proxy...It may not keep the best hacker out, but for some script kiddie like that guy sounded like, it'll keep him out.
    What will people say if they hear that I'm a Jesus freak?
    What will people do if they find that it's true?
    I don't really care if they label me a Jesus freak, there is no disguising the truth!

    Jesus Freak, D.C. Talk

    -gnu-ehacks

  6. #6
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    Yeah... use A4Proxy. It is a good program and they have a lot of proxy servers that you can use. This way it will look like you are coming from somewhere else and

    quote...

    for some script kiddie like that guy sounded like, it'll keep him out


    Blue

  7. #7
    train spotter
    Join Date
    Aug 2001
    Location
    near a computer
    Posts
    3,868
    Did your ZoneAlarm log his IP?

    Very hard to spoof IP's unless running XP, UNIX ect. (Need a raw sockets)

    In Win2000 can do it but need additional drivers / code.

    I would be searching for trojans. (as I would have sent one in)
    Try a search for files with *.dil. (Sub7 installs a .dIl (note capital i) and can be sent in thru a zombie or evil bot)
    "Man alone suffers so excruciatingly in the world that he was compelled to invent laughter."
    Friedrich Nietzsche

    "I spent a lot of my money on booze, birds and fast cars......the rest I squandered."
    George Best

    "If you are going through hell....keep going."
    Winston Churchill

  8. #8
    Hamster without a wheel iain's Avatar
    Join Date
    Aug 2001
    Posts
    1,385
    he was running unix, after i reconnected i found his id and asked him how he did it. He ran an ip grabber from nix to find me. How he picked me form the chat room and got my ip - he wouldnt say
    Monday - what a way to spend a seventh of your life

  9. #9
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    >>>Don't underestimate the insecurity of NetBIOS!!!


    NetBIOS is insecure, but both Zone Alarm and Black Ice monitor and close the Net* ports (137,139, etc). A scan internal to the system will show them as open... but from the outside they are closed.

    The obvious connection here is that he was on a chat room that opens ports and requests access to do so from the software firewall.

    Once you grant access, those ports are exploitable.

    Else... as someone suggested, he has a trojan.

    (Could it be other things... sure... can't it always, but don't throw the guy off with these hackers demystified comments.)

    I suggest you update your system software and be careful who you talk to in chats...
    Blue

  10. #10
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    >>>You shouldn't trust a desktop firewall blindly.


    Agreed... you shouldn't trust anything blindly.



    (god this is the same old discussion... someone who's friend's friend's dog is a computer hacker that knows how to defeat a software firewall by deleting internal dll files or whatever).



    Chat programs are the number one exploit on the net. Why do you think that is?
    Blue

  11. #11
    r0gu3
    Guest
    if you scan using port 79 i believe zone alarm will accept the traffic as local as for blackice and zonealarm they are easy to remotly take down...

    a better choice of firewall would be tiny personnal firewall or neowatch... as for netbios it is extremely insecure even with a firewall running... and password protecting might keep the script kiddies out but there is a recently released exploit that will overflow the password protocol and allow you acess as if there was no password...

  12. #12
    r0gu3
    Guest
    "don't know how it works exactly, but if you know Windows and its shell well, you can read + write from any Windows computer hdd that runs NetBIOS in default configuration."

    a trained monkey could do this... it is not hard at all...

    also on another note having port 139 active does not necesarely make you vulneralbe as most cable and some adsl, dsl companies require port 139 in order for netbios identification... you are only vulnerable if you have shared drives or a shared printer...

  13. #13
    Registered User dirkduck's Avatar
    Join Date
    Aug 2001
    Posts
    428
    port 139 is about the easiest port to get through, heck, i can get through that port . You need to close it off if your not on a network. Go to start>settings>control panel>network>file and printer sharing>unckeck both the boxes. that will close off the port and your good to go!

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Computer Hacked over LAN
    By Puppet Master in forum Tech Board
    Replies: 11
    Last Post: 06-17-2008, 02:48 PM
  2. The MATRIX hacked
    By InvariantLoop in forum A Brief History of Cprogramming.com
    Replies: 1
    Last Post: 03-10-2005, 08:03 AM
  3. Hacked OST2 methods (not hacking)--need advice
    By jverkoey in forum Windows Programming
    Replies: 3
    Last Post: 07-23-2004, 11:03 PM
  4. Hotmail hacked?
    By Brian in forum A Brief History of Cprogramming.com
    Replies: 12
    Last Post: 03-28-2002, 04:04 PM