Help!!! i just got hacked!!!!

[breaka504]

ok... i just went to change my security in xp from simple to advance (disabled the private folder crap) and i found out that about 10 of my files in my G driver had a new user name ...(S-1-5-21-1085031214-1078145449-1708537768-1003)... apparently, the hacker took ownership of my files and when i tried to delete the user name, it told me that it was inheriting permissions.... now... i would like to know what should i do... i already have reverted my files permissions back...and i want to know how they hacked me and what should i do to prevent them... i dont have firewall or virus protection yet... but this will make me go get a copy ... also... can i use neotrace to track down this bitch? does it help if i get his ip number and hack his comp back? ( i used to play around w/ hacking so i know a little bit...hehe...) so what should i do now?? any advice is welcome!!

 

[Vaelon]

uhmm, if you knew something about hacking then I guess you would know that you would need an IP........but then again, I think your a TOOL so it doesnt matter really......btw, no 'hacker' is going to waste his time with a home user....its pointless.

 

[breaka504]

yeah... thats what i thought.. no hacker is gonna mess w/ a home user ... yeah...true...if the person is a very good hacker... now...if the person is just starting out... then that be a different story...cuz these ppl are just learning the ropes... and it gives them something to do... let them think that they themselves are good... see i know this cuz i was like that back then... hehe...

 

[Vaelon]

Giving people Trojans like Back Orifice and Sub Seven is NOT hacking, its being mischievious.

 

[dsparks]

[BTW: You shouldn't come in and crap in his thread!]

 

[Vaelon]

nobody said it was OK, I just trying to explain the difference. Besides, what he's explaining doesnt seem to be a intrusion of any sort. IMO.
Besides, nobody 'puts' those things on your computer. You have to RUN them. Execute them, etc.

 

[dsparks]

Sorry.

 

[DaiShan]

I was going to post a reply here, but since this thread is laden with illegal activites, and flames i won't waste my time.

 

[Mem]

<< i dont have firewall or virus protection yet... but this will make me go get a copy . >>



WinXP has a built-in firewall however if you want a good free one try ZoneAlarm ,for a good free anti-virus program download AVG from here .

 

[n0cmonkey]

<< Giving people Trojans like Back Orifice and Sub Seven is NOT hacking, its being mischievious. >>



They are all script kiddiots so who gives a damn?

Anyone running a virus prone, less than secure operating system should be using anti-virus and firewall programs at minimum. If you dont have these installed before connecting to the net you better know what you are doing or you are a total moron.

Best advice? Backup, format, reinstall, restore, install anti-virus and firewall, patch, keep up to date, dont be a moron.

 

[breaka504]

<< nobody said it was OK, I just trying to explain the difference. Besides, what he's explaining doesnt seem to be a intrusion of any sort. IMO.
Besides, nobody 'puts' those things on your computer. You have to RUN them. Execute them, etc. >>



I really think that this is not a trojan or virus or exe file crap... because this person started at my g: drive and started to add a new user name w/ the first file and went onto the 7th file... now i admit that i let my computer run for hours on end w/ a dial up modem... and this is probably why the person got the time to do this... my suspicion is that the person some how logged into my computer as the administrator, changed the owner of the files to his user name which is "S-1-5-21-1085031214-1078145449-1708537768-1003"... now if this wasn't a hacker... y would there be such a long user name and also remember that unless you disable the simple private folder crap in xp, you won't be able to know about this since the user name doesn't show in the control panel or the administration tools... what i did now is changed all the folders to just let the system and my user name to access the files on my computer and nothing else... i hope this works tho... any body see some thing that would go wrong with this?

also...I just downloaded the firewall, the zonealarm one and it keeps giving me this message...

Generic Host Process for Win32 Services could not accept a(n) UDP Port 0 connection from 64.158.94.89 because Internet servers are blocked.

now i got this message for about over 500 times in the 30 min. that i started to block internet servers... and the ip address keeps on changing too... so is this a problem that i should be aware of ??? or is this a normal windows xp .exe??

thanks for everyone's help...

 

[n0cmonkey]

Are you sure this wasnt the system restore thingy? I thought it used a username like that... Anyhow, port 0 shouldnt really do much.

 

[Vaelon]

I've also had usernames like that. Its not uncommon really. Somehow windows 2k and XP 'generate' a username like that. Please don't ask me how I do not know. But I have had a type of username pop up on several occasions. Don't be so paranoid, your on dialup

 

[breaka504]

<< Are you sure this wasnt the system restore thingy? I thought it used a username like that... Anyhow, port 0 shouldnt really do much. >>



can you explain this to me?? I never heard of this... the only really thing that bothered me is that the owner of the files changed... and the files that had the user name were only in g drive and no where else... also ... i never had used the system restore thing...I only reinstalled windows about a month or two ago when a system file went courrpt after oc'ing too much...

 

[n0cmonkey]

<<

<< Are you sure this wasnt the system restore thingy? I thought it used a username like that... Anyhow, port 0 shouldnt really do much. >>



can you explain this to me?? I never heard of this... the only really thing that bothered me is that the owner of the files changed... and the files that had the user name were only in g drive and no where else... also ... i never had used the system restore thing...I only reinstalled windows about a month or two ago when a system file went courrpt after oc'ing too much... >>



I dont do Windows so I cant explain it better. Do a search on system restore and look at the Microsoft site for more information.

 

[DaiShan]

n0cmonkey, do you think it is possible that he is blocking all internet servers (including web hosts) and this is why he gets this error when his computer tries to access websites? I'm not too up on my firewalls. breaka504 what security level do you have on that zonealarm? what do you have it set to block?

 

[n0cmonkey]

<< n0cmonkey, do you think it is possible that he is blocking all internet servers (including web hosts) and this is why he gets this error when his computer tries to access websites? I'm not too up on my firewalls. breaka504 what security level do you have on that zonealarm? what do you have it set to block? >>



The log he posted was for port 0 UDP. So that wouldnt block his web page surfing. I dont remember him saying that he cant browse. And Im not up on my zonealarm-log-fu, but it sounds like it wont let him run a server on his system instead of blocking the servers out there on the net.

 

[DaiShan]

n0cmonkey, what does udp port 0 normally correspond with? could it be information from his isp maybe? if the security level was set too high?

 

[breaka504]

right now... i am surfin' the web ok... no problem at all... also it seems like my maya 4.02 which requires local server for license file is also working alright... the problem is that i just dont know why i am getting all these open ports (netstat -an) and these udp port 0 messages... right now if i do netstat -an, i would have 17 tcp listening ports, 3 tcp established ports, 1 tcp close wait port, and 23 udp ports that has the little star thingy by it... (dont know what it means...)but anyway this seems to be alot of ports opened at one time!

 

[Mem]

System restore will roll your PC back a few days or weeks depending on the date you choose ,it`s good for fixing harmful changes to your PC since in theory you can go back to before the problem occured,it`s in control panel,then performance and maintenance section,then you will see it in the top left corner,you need to have it activated in the first place to take advantage of restoring your PC to an earlier time.

I`ve tried it a few times and it works ok for me.

As for ZoneAlarm well I`m not too hot on networking problems but did you disable the built-in WinXP one?

 

[n0cmonkey]

<< n0cmonkey, what does udp port 0 normally correspond with? could it be information from his isp maybe? if the security level was set too high? >>



Port 0 doesnt do anything is I remember correctly, but Ill try to look it up. Port 0 is a fun port to use when port scanning someone else... But its complicated and not worth going into here.



<< right now... i am surfin' the web ok... no problem at all... also it seems like my maya 4.02 which requires local server for license file is also working alright... the problem is that i just dont know why i am getting all these open ports (netstat -an) and these udp port 0 messages... right now if i do netstat -an, i would have 17 tcp listening ports, 3 tcp established ports, 1 tcp close wait port, and 23 udp ports that has the little star thingy by it... (dont know what it means...)but anyway this seems to be alot of ports opened at one time!
>>



Do a shields up test at grc.com to see what ports are open. If most of those ports are >1024 its probably your applications opening them. But still do the scan.

 

[Mark R]

A user name like "S-1-5-21-1085031214-1078145449-1708537768-1003" actually means that the user name is unknown, your computer doesn't have a user name to go with the user's serial number, and so it just displays the serial number.

There are innocent ways in which this could happen - e.g. the files could have been left over from a previous installation of windows nt/2k/xp (after a reinstall, the user database is lost, but the files retain their ownership data), or you had a user profile on the computer, which was subsequently deleted.

 

[Legendary]

Your NetBIOS port (219) might be open.

 

[breaka504]

<< A user name like "S-1-5-21-1085031214-1078145449-1708537768-1003" actually means that the user name is unknown, your computer doesn't have a user name to go with the user's serial number, and so it just displays the serial number.

There are innocent ways in which this could happen - e.g. the files could have been left over from a previous installation of windows nt/2k/xp (after a reinstall, the user database is lost, but the files retain their ownership data), or you had a user profile on the computer, which was subsequently deleted. >>



thanks alot ... thats very comforting to know this!

 

[dude]

Also, because you're on dialup, a person wouldn't really want to go into your computer to mess with. It's a pretty slow process. They would also most likely not probe any ip's from a known dial-up range.