Have I been Hacked???

emonkey · Jun 23, 2001

Hopefully soemone out there can give me a clue on whats going on. I have 2 computers on a SMC DSL Router. I was shutting down and it gave me that message you get when someone is using files on your system. "shutting down will disconnect \\Computer Name" or whatever. Anyway, i just shut down and it said that message with a computer name I know isnt local. Whats going on?

I checked my system on shields up a day ago and everything seems fine with the router blocking everything. Anyone have a clue on what happened? Im really worried about being online or leaving my computer on now...

67gt500 · Jun 23, 2001

one case is that your isp is blocking the netbios ports on their external interfaces but not internally. So it could very well be a user within your own isp network that is accessing your insecure shares.

Firewall is the only solution.

Journeyman · Jun 23, 2001

Not to mention disabling NetBIOS and (prefereably) using NetBEUI for your File/Print sharing services... That should certainly take care of your problem...

But do download ZoneAlarm, anyway. It's free!

emonkey · Jun 23, 2001

So my firewall built into the router isnt good enough? Im going to disable netbios and set up netbeui. hope it works. I just am curious how long someone was actually in my system. I share all drives because I access my desktop from the laptop (local network) alot.

Journeyman · Jun 23, 2001

A hardware firewall generally offers good protection, but it never hurts to have a backup.

NetBEUI is a non-routable protocol so is able to be used on your LAN through the switch part of your router, but is unable to go outside through your router. Should work great - just bind it to your File/Print Sharing, Client for MS Networks, and MS Family Login, then unbind TCP/IP from all three. Keep your NICs bound to both.

Just out of curiousity, you did change the default workgroup name on your computers, right? If not, you should (although it shouldn't really matter once you've installed NetBEUI). I'd also make the recommendation that you only share what you need to and nothing more - you probably don't really need your Windows directory and things like that shared... Rather than sharing the whole drive, share the directories/trees that you're going to need.

And naturally, if you haven't already, it's probably a good idea to update your virus definitions and do a scan.

Russ · Jun 23, 2001

<< Not to mention disabling NetBIOS and (prefereably) using NetBEUI >>

Huh?

emonkey,

Do you use Napster or any similar file sharing programs? Online gaming?

Russ, NCNE

Journeyman · Jun 23, 2001

Russ:

Sorry - I suppose that may have been a little unclear. Ran two thoughts together, as it were. Obviously NetBIOS and NetBEUI are unrelated. Should've used two sentences:

Unless you have a specific need for NetBIOS, disable it so there's no chance of it being exploited. Additionally, installing NetBEUI for small home networks is preferable to using TCP/IP for File/Print sharing.

Apologies.

Russ · Jun 23, 2001

Journeyman,

Exactly how would you disable NetBIOS? Where do you find it on a modern Windows system? I'll give you a hint. NetBEUI is NetBIOS Extended User Interface.

Russ, NCNE

Journeyman · Jun 23, 2001

Russ:

Would it be acceptable to say "Disable support for NetBIOS over TCP/IP"?

Russ · Jun 23, 2001

Which is the same as un-binding TCP/IP from file and print sharing, which you said in a subsequent post.

Right now he's probably scratching his head looking for the word "NetBIOS" in his network settings and wondering why it isn't there. I'm just trying to make sure he doesn't get too confused here.

Russ, NCNE

67gt500 · Jun 23, 2001

Exactly how would you disable NetBIOS? Where do you find it on a modern Windows system? I'll give you a hint. NetBEUI is NetBIOS Extended User Interface.

Right.. as you said earlier unattaching file/print from tcp/ip is essentially the same thing. But, with netbios still attached to tcp/ip others your network names and shares available are still viewable, just not accessible. Unless I am mistaken.

Journeyman · Jun 23, 2001

If I've generated any confusion, I apologize. And Russ, please understand my intent here is not to argue with you, but to learn - it's understood that there are few people around here who know more about these things than you.

That said, in Win98 (and presumably ME), TCP/IP Properties has a NetBIOS tab, in which there is a checkbox which says "I want to enable NetBIOS over TCP/IP". This is separate from the Bindings settings... The fact that these are separate suggests to me that having NetBIOS over TCP/IP enabled allows more than just File/Print sharing (which can be unbound separately). Is this not the case?

And either way, it couldn't hurt to disable the same thing in more than one place, could it?

Russ · Jun 23, 2001

67gt500,

No, if you unbind TCP/IP from file and print sharing, your shares would NOT be viewable from outside your own physical segment. A top-notch hacker could still get in, but port scanners and script kiddies won't see anything.

Russ, NCNE

67gt500 · Jun 23, 2001

No, if you unbind TCP/IP from file and print sharing, your shares would NOT be viewable from outside your own physical segment. A top-notch hacker could still get in, but port scanners and script kiddies won't see anything.

It's been a while since I tested the scenarios with netbios on win98 in a lab environment so this may be the case until I can test it again.

What I'm certainly confused on is your comment above tieing onling gaming and napster sharing services to netbios.

These services operate on their own ports.. data isn't sent over the netbios port. The only time I've found netbios required over tcp/ip is when I wanted to test accessing my local shares from afar..

If this is the case would you explain it to me? Netbios is certainly requirement over a tcp/ip LAN for file sharing purposes.. but I fail to see how it is a requirement over a WAN.

67gt500 · Jun 23, 2001

The fact that these are separate suggests to me that having NetBIOS over TCP/IP enabled allows more than just File/Print sharing (which can be unbound separately). Is this not the case?

I thought I remembered it being the case that if netbios over tcp/ip was still enabled then you were still communicating though sharing nothing because file/print was unbound. But as Russ pointed out shares may be unviewable if it is left enalbed... although I'm not convinced on this yet nor am I convinced that your computer name/workgroup name are not shared. I have to test it again until I am certain.

...this is part of the reason I'm not entirely fond of MS networking.

Russ · Jun 23, 2001

<< it's understood that there are few people around here who know more about these things than you. >>

Hell, I could fill up a thread listing the people in this forum that have forgotten more about networking then I'll ever know.

In Win98, you can't change the setting in the NetBIOS tab, the checkbox is greyed out. The setting doesn't exist in WinMe. If you want to completely remove it, you'd also unbind it from Client For Microsoft Networking or Windows Logon (whichever you're using).

But, that's really an unnecessary step.

Russ, NCNE

67gt500 · Jun 23, 2001

In Win98, you can't change the setting in the NetBIOS tab, the checkbox is greyed out.

This isn't the case once all binds have been unbound. The box is no longer greyed out because netbios is no longer a necessity.

Russ · Jun 23, 2001

<< What I'm certainly confused on is your comment above tieing onling gaming and napster sharing services to netbios. >>

It was not a comment "tying" them to anything. It was a question about whether or not he was using them. It occured to me that if someone was downloading from him when he went to shut down, it might generate a message simliar to what he got.

<< Netbios is certainly requirement over a tcp/ip LAN for file sharing purposes.. but I fail to see how it is a requirement over a WAN. >>

Of course it's not a requirement. I never said it was.

Russ, NCNE

67gt500 · Jun 23, 2001

It was not a comment "tying" them to anything. It was a question about whether or not he was using them. It occured to me that if someone was downloading from him when he went to shut down, it might generate a message simliar to what he got.

Ahh. ok. I've not seen a windows warning about computers being disconnected from your machine with the \\computername listed in any situation other than a local area network.

Russ · Jun 23, 2001

67gt500,

I don't use Napster or any of the file sharing aps, and I rarely do any online gaming, so I honestly don't know how they connect. I was just tossing out a possibility for exploration purposes.

emonkey,

Are you SURE you didn't have another system connected to you on your local net? The more I think about it, the more I find it unlikely that someone from outside was able to connect through the NAT of your router.

Russ, NCNE

67gt500 · Jun 23, 2001

yeah with the NAT running unless he had bound 139 to his local machine I dont' see how anything could have gotten through.

Who knows.. need more information I suppose.

bot2600 · Jun 23, 2001

IT WAS ME, CAUSE I AM LEET HAXOR...

uhh, just kidding...

Bot

spidey07 · Jun 23, 2001

if there was some kind of program to proxy you're netbios ports then you could indeed be hacked.

Generally a "god forbid you call them a firewall" nat gateway (otherwise known as a netear or linksys router" will prevent inbound connections to your machines with the default rule set just by addressing alone. BUT, if you have something else on your machine then one can bypass these nat gateways.

Can you give a little more information about your machine and network, emonkey. is this a home network with a few machines behind a SMC router [chuckle] or something more?

I don't know about you but if I received this message I'd be freaking out. From what I understand this message means some other computer was connected to your windows server service. Once somebody has connected to that then they can get free reign of your computer. It is very easy to hack windows systems over this port/service.

emonkey · Jun 25, 2001

<< Can you give a little more information about your machine and network, emonkey. is this a home network with a few machines behind a SMC router [chuckle] or something more?

I don't know about you but if I received this message I'd be freaking out. From what I understand this message means some other computer was connected to your windows server service. Once somebody has connected to that then they can get free reign of your computer. It is very easy to hack windows systems over this port/service. >>

3 Comps on SMC 4port DSL Router. Home network all with WinME, all drives shared (dont bother scolding me). Im not sure what "something more" means but its just a home network for me and my GF.

Well, heres what i found out. I had a friend trying to use video conferencing on my system but he couldnt do it. He said its because of the router firewall so yesterday i checked and he said he enabled DMZ (?) on my comp to try to get it to work. I took out the setting enabling DMZ because someone said that is how they got in.

I ran shields up prior to disabling DMZ and port 139 (?) was seen as opened, but after disabling it shields up said it was stealth. Hope everything is better now... Thanks for the info everyone!

Have I been Hacked???

Golden Member

Banned

Senior member

Golden Member

Senior member

Lifer

Senior member

Lifer

Senior member

Lifer

Banned

Senior member

Lifer

Banned

Banned

Lifer

Banned

Lifer

Banned

Lifer

Banned

Platinum Member

No Lifer

Golden Member