PDA

View Full Version : i got hacked



iain
01-10-2002, 05:23 PM
I was in yahoo chat the other day and i got hacked, i know it was a hck because the intruder told me what he was about to do and even though i have Zonealarm and blackice defender running he killed all instances of IE.

Well i just downloaded a port scanner to check how vulnerable my connection is, and the only responding port was port 139 nbsession, i guess this is netbios, is this a major vulnerability?

Betazep
01-10-2002, 05:38 PM
When you are in a chat... you have other ports open. Those ports can be exploited because you have already allowed access by the the yahoo chat program in your Zone alarm config... else why would you be connected at all, right. So it is most likely an exploit to the application you are running and not the netbios session. (which will give you an alarm with zone alarm if there is a connect)

edit... also... run netstat -a while connected to the internet to see what ports you have listening or connected. You have more ports listening than 139... believe me.

Betazep
01-10-2002, 06:18 PM
oh and www.grc.com is a decent place to start for comp security. Not the definitive website but has interesting tools just the same

mithrandir
01-10-2002, 07:16 PM
Here's an okay list of most IP port numbers, if not all. Can't remember where I got it, but here it is...

gnu-ehacks
01-10-2002, 08:03 PM
Hmm...I'd suggest finding a way to get a proxy...It may not keep the best hacker out, but for some script kiddie like that guy sounded like, it'll keep him out.

Betazep
01-10-2002, 08:14 PM
Yeah... use A4Proxy. It is a good program and they have a lot of proxy servers that you can use. This way it will look like you are coming from somewhere else and

quote...

for some script kiddie like that guy sounded like, it'll keep him out


:D

novacain
01-11-2002, 12:50 AM
Did your ZoneAlarm log his IP?

Very hard to spoof IP's unless running XP, UNIX ect. (Need a raw sockets)

In Win2000 can do it but need additional drivers / code.

I would be searching for trojans. (as I would have sent one in)
Try a search for files with *.dil. (Sub7 installs a .dIl (note capital i) and can be sent in thru a zombie or evil bot)

iain
01-11-2002, 10:01 AM
he was running unix, after i reconnected i found his id and asked him how he did it. He ran an ip grabber from nix to find me. How he picked me form the chat room and got my ip - he wouldnt say

Betazep
01-11-2002, 11:57 AM
>>>Don't underestimate the insecurity of NetBIOS!!!


NetBIOS is insecure, but both Zone Alarm and Black Ice monitor and close the Net* ports (137,139, etc). A scan internal to the system will show them as open... but from the outside they are closed.

The obvious connection here is that he was on a chat room that opens ports and requests access to do so from the software firewall.

Once you grant access, those ports are exploitable.

Else... as someone suggested, he has a trojan.

(Could it be other things... sure... can't it always, but don't throw the guy off with these hackers demystified comments.)

I suggest you update your system software and be careful who you talk to in chats...

Betazep
01-11-2002, 02:48 PM
>>>You shouldn't trust a desktop firewall blindly.


Agreed... you shouldn't trust anything blindly.



(god this is the same old discussion... someone who's friend's friend's dog is a computer hacker that knows how to defeat a software firewall by deleting internal dll files or whatever).



Chat programs are the number one exploit on the net. Why do you think that is?

r0gu3
01-11-2002, 03:18 PM
if you scan using port 79 i believe zone alarm will accept the traffic as local as for blackice and zonealarm they are easy to remotly take down...

a better choice of firewall would be tiny personnal firewall or neowatch... as for netbios it is extremely insecure even with a firewall running... and password protecting might keep the script kiddies out but there is a recently released exploit that will overflow the password protocol and allow you acess as if there was no password...

r0gu3
01-11-2002, 03:31 PM
"don't know how it works exactly, but if you know Windows and its shell well, you can read + write from any Windows computer hdd that runs NetBIOS in default configuration."

a trained monkey could do this... it is not hard at all...

also on another note having port 139 active does not necesarely make you vulneralbe as most cable and some adsl, dsl companies require port 139 in order for netbios identification... you are only vulnerable if you have shared drives or a shared printer...

dirkduck
01-11-2002, 09:27 PM
port 139 is about the easiest port to get through, heck, i can get through that port ;). You need to close it off if your not on a network. Go to start>settings>control panel>network>file and printer sharing>unckeck both the boxes. that will close off the port and your good to go!