Computer being hacked? Need help.

[Yohhan]

I think someone is trying to connect to my computer...
I use zonealarm, and I got this message today:

"Do you want to accept connections from the internet?

Technical Information:
Source IP: 66.75.160.42: DNS"

It said the source was asking for server rights. Shortly after I received a similar warning from my firewall, saying this same IP was trying to connect via ICMP or something similar.

Is someone trying to hack my computer? What can I do? I'm behind a router firewall, and a software firewall in zonealarm. I thought the router's firewall made me "invisible" to port scanning. My friend told me there's a "buffer overflow exploit" that makes WinXP vulnerable to malicious code, which makes me worried about hackers. Is there anything I can do to stop this? Would appreciate any help.

Also, on a side note... if you have any suggested reading (online) about ICMP, and how people do this, I'd appreciate it. I'd like to be a little more informed on the subject.

Thanks.

 

[WhoDeeny]

use the trace route (tracert) command on that IP address to see who/what it is...

 

[Yohhan]

Here's what it gave me:

Tracing route to orngca-dns02-eri1.socal.rr.com [66.75.160.42]
over a maximum of 30 hops:

1 20 ms 14 ms 13 ms 10.40.64.1
2 9 ms 13 ms 11 ms POS4-0-0.CNPKCA2-RTR1.socal.rr.com [24.24.192.102]
3 11 ms 35 ms 59 ms SRP5-0.CHSWCA1-GSR2.socal.rr.com [24.24.192.189]
4 20 ms 16 ms 12 ms POS0-1.ORNGCA4-GSR1.socal.rr.com [24.24.192.6]
5 15 ms 11 ms 15 ms orngca-dns02-eri1.socal.rr.com [66.75.160.42]

Trace complete.

 

[r0ck]

search your system for files like "server.exe", "cmd32.exe", "mirc32.exe", "mirc.exe" and try looking into
c:/windows/system32/ ..see if you can find anything thats not suppose to be there.. look into folders like "inetserv", "vmn32"..

oh ..and let your firewall run the program and see if you can spot what program its running..if you are able to find that...use hexeditor to find where its going

 

[WhoDeeny]

Are you in SoCal? That's a time warner (road runner) DNS server in southern california. I'd report illegal use of servies to TMW and give them that IP address, but first call their tech support and notify them of what you've found, unless you're not in SoCal. That would mean then that someone in SoCal is dicking with your sh!t...

 

[r0ck]

calling up TWC wouldn't do much ..backed up by the following link..which is far more severe then Yohhan's problem.

http://grc.com/dos/grcdos.htm

 

[r0ck]

"Wicked" being interviewed

http://www.lockdowncorp.com/bots/wicked.html

 

[WhoDeeny]

Link it for the lazy r0ck!

 

[WhoDeeny]

Ok just one question r0ck: How do you know with any certainty that this DoS sttack has anything to with this man's problem? Albeit it possible, you're still making a huge jump to a rather general conclusion. This could be prompted by a virus on his PC attempting to make contact with a host PC or it could be an actual user trying to gain access. Simply b/c its on a Road Runner acount doesn't mean squat. But that does bring up a good point, Yohhan. If you haven't already run a virus check on your pc you should and you need to make certain that you either boot clean from a virus free antivirus boot disk or use a web tool to check your pc for a vrius

 

[Saltin]

Yohan, you run your own DNS?

 

[Yohhan]

No, not running a DNS.

Where can I find a web tool that can check for a virus? I used to have mcafee, but I got rid of it. Didn't feel as if it was doing anything.

 

[n0cmonkey]

Originally posted by: Yohhan
No, not running a DNS.

Where can I find a web tool that can check for a virus? I used to have mcafee, but I got rid of it. Didn't feel as if it was doing anything.

AVG is free and mcaffee has an online scanner (I think).

This is why I think you should have to pass a test before you get on the net.

Is it ICMP or UDP? UDP would be the proper DNS protocol (although I heard Windows may use TCP (for all requests), which is dumb, anyone provide confirmation?). Are you on Time Warner? If so, you probably get this when you try to bring up a page or do other DNS lookups. What is your ip address (leave off the last octet)? Who is your ISP?

ICMP doesnt "connect" so thats a bad error, if thats what it said. Also, Im not sure wha the server rights thing is, but a better quote would be greatly appreciated (exact message with the program name of what is trying to be a server or whatever).

 

[HalfCrazy]

Here is a link to a online anti-virus scanner.

http://housecall.antivirus.com/

 

[Saltin]

I'd have to agree with Noc on this.
You arent in any danger.

 

[Yohhan]

Noc:
I'm with Time Warner Road Runner in socal. My IP address is 66.27.183.*
The reason I took mcafee off, was I seemed to get viruses anyways even with it (I kept it updated). After I installed zonealarm, I didn't have anymore problems. I don't have the exact messages, but I'll repost them the next time the warning pops up. It's always the same IP that causes sets off my firewall. Could it be my ISP?

Where can I get AVG? Download.com?

 

[FoolishMcNasty]

AVG

 

[n0cmonkey]

AVG rocks by the way (its free )

Both of the IPs are owned by RR. Chances are it your DNS server. Go to a cmd.exe prompt (win2k/xp/NT) or command.com (DOS aka win9x) prompt and type "ipconfig /all" and look for the ip address that is causing alarms. It will probably show up under dns servers.

 

[Tiger]

And get some virus software.
Norton '02 checks both incoming and outgoing mail.
Your just begging for it running Windows without a cyber rubber.

 

[Yohhan]

Yeah, it's my DNS server. Don't I feel like an idiot Flying into a panic over my firewall. Thanks for the help everyone.

On my way over to get AVG now...

 

[n0cmonkey]

Originally posted by: Yohhan
Yeah, it's my DNS server. Don't I feel like an idiot Flying into a panic over my firewall. Thanks for the help everyone.

On my way over to get AVG now...

Dont feel like a total idiot. Now you know a little more about how to check your setup to see if this really is a problem, or just one of those things.