Firewall help needed desperately!!!!!!!!

[Larommi]

Ok, here is the deal. I got home and had a nasty message on my answering machine. Apperantly I had spent the entire weekend trying to hack into somebodys computer. That would have been fine if I had been home or even knew how to hack. I am not sure if my computer had been compromised. I don't know how to tell. I am not sure how I got targeted or how the address was traced to me. I am running ZoneAlarm (newest version) that does not say I was hit but I have to run it at medium security to use ICQ and Outlook and I think that is what left me open.

Questions:
1. How do I keep this from happening?
2. If someone used my address what can I do, cable company wont release my address?
3. How do I find out if and when they were in my machine?
4. How can I get around Outlook and ICQ not working?

Thanks in advance!!


------------------
You spend your whole life believing that you're on the right track,
only to discover that you're on the wrong train.

[Sowulo]

And just who traced your phone number to leave that nasty message? Perhaps this 'victim' is a better hacker than you?

[Student^2]

Heh. I'm betting notepad is accessing the internet all the time.....
1) Don't run ZA in medium security - custom set each program. Always use high on the internet security setting, otherwise you are just wasting cycles.
2) Scan, scan, scan. You probably have a virus (probably QAZ) that is running as a backdoor. As for tracing the IP, it is very simple to run a trace route and find out where (and with patience who) you are.
3) Look in task manager, and close everything save ZA, Systray and explorer. Watch what tries to auto-reopen. That will give you a clue as to where to start on what is infected.
4) If you don't have a virus / trojan, someone found that you were online with low security and spoofed your addy. Unless you have static, release and renew!

------------------
Time is a great teacher,
but unfortunately it kills all its pupils.

[This message has been edited by Student^2 (edited November 06, 2000).]

[Larommi]

Originally posted by sowulo:
And just who traced your phone number to leave that nasty message? Perhaps this 'victim' is a better hacker than you?

I must be the better hacker because I was not even home!! My computer must have spontaniously hacked. Must be that AI program I have been messing with!!


------------------
You spend your whole life believing that you're on the right track,
only to discover that you're on the wrong train.

[Larommi]

Originally posted by Student^2:
Heh. I'm betting notepad is accessing the internet all the time.....
1) Don't run ZA in medium security - custom set each program. Always use high on the internet security setting, otherwise you are just wasting cycles.
2) Scan, scan, scan. You probably have a virus (probably QAZ) that is running as a backdoor. As for tracing the IP, it is very simple to run a trace route and find out where (and with patience who) you are.
3) Look in task manager, and close everything save ZA, Systray and explorer. Watch what tries to auto-reopen. That will give you a clue as to where to start on what is infected.
4) If you don't have a virus / trojan, someone found that you were online with low security and spoofed your addy. Unless you have static, release and renew!

Thanks
1. I have since moved security to high which is leaving me out of things on the web...ie Windrivers chat room and the ICQ problem is not that bad. Any help in getting Outlook express around the firewall would be appreciated.

2. I do regular scans but I will try another virus scanner. That is something that totally slipped my mind.

3. I have looked into this. I am also wondering what I can do to make ZA load first. If this makes a difference. I actually do not have much in my startup folder. Anti virus, mouse program, soundcard program that I cant get rid of then ZA.

4. I have heard of spoofing. My address acourding to AT&T is not static but I can't get it renewed. I release it and unplug the cable modem and restart everything and I get the same address. AT&T told me to buy a new NIC because they think that a new MAC address will give me a new IP. I guess this is the next step although I think it is not necessary if I do not have a static address like they claim.

Thanks again...any more suggestions are welcome!!


------------------
You spend your whole life believing that you're on the right track,
only to discover that you're on the wrong train.

[Revenant]

Before you go buy a new network card. Try setting yourself to a static IP address. Anyone will do, it doesn't have to be really valid. Reboot. Reset your comp to DHCP and then reboot again. See if you have a new IP. IF your comp has some sort of "zombie" prog installed, changing your IP won't do squat, you'll still be zombified when you have a new IP. As far as tracing your IP to a specific person... That sounds pretty difficult to me... You could find comp name, etc, but unless you are using your real name as comp names, domain names, etc, I don't see how. My main route would be to find out who left the message, and see what they mean by hacked. Do they mean port scanning, zombie attack, DOS attack, virus attack. Remember, most idiots out there don't know what "hack" means. To your average lay person, "hack" just means something bad. So, you could have an internet worm sending viruses from your email, which is easily traceable back to you and your name. Someone getting your name off of your IP is very unlikely unless they got a court order to have your ISP release address records in an ongoing investigation of you. Which sounds unlikely (unless you were the one that hacked MS?) Or it could be a prank.

------------------
What's this button d--

[Revenant]

'Nother important questi. Was your computer on all weekend?

------------------
What's this button d--

[Larommi]

Originally posted by Revenant:
Before you go buy a new network card. Try setting yourself to a static IP address. Anyone will do, it doesn't have to be really valid. Reboot. Reset your comp to DHCP and then reboot again. See if you have a new IP. IF your comp has some sort of "zombie" prog installed, changing your IP won't do squat, you'll still be zombified when you have a new IP. As far as tracing your IP to a specific person... That sounds pretty difficult to me... You could find comp name, etc, but unless you are using your real name as comp names, domain names, etc, I don't see how. My main route would be to find out who left the message, and see what they mean by hacked. Do they mean port scanning, zombie attack, DOS attack, virus attack. Remember, most idiots out there don't know what "hack" means. To your average lay person, "hack" just means something bad. So, you could have an internet worm sending viruses from your email, which is easily traceable back to you and your name. Someone getting your name off of your IP is very unlikely unless they got a court order to have your ISP release address records in an ongoing investigation of you. Which sounds unlikely (unless you were the one that hacked MS?) Or it could be a prank.

I have done the setting the IP address which reverts back to the old address. The card is already running DHCP which is what AT&T wants. I don’t think there is a program giving me the IP address because I have almost nothing loading at startup and nothing in the registry pointing to one. (Besides I would not let them load anything on my machine.) I think I know how they got my phone number. I am running a personal web server program to test my web pages with. It is possible they got my phone number off an ad page that I created. It is on a shared hard drive on my server.
I have loaded a new AV and it found nothing so I am thinking it is possible that it is not a virus or worm. Besides I would think that Zone Alarm might tell me there is a program accessing the web. I am not too concerned any more because I moved all sensitive data to another machine. I also have cranked up Zone Alarm. If someone is using a spoofer they should not be able to trace my address.
By the way my machine was on all weekend but it was locked down. Since I cannot get a new address it is possible this problem occurred awhile ago. I have a new network card to try now so hopefully I can get this resolved. I just think it is wrong that my address is not static and yet I cannot change it

Sorry if this rambles, but it is late and I have been dealing with this for a while.




------------------
You spend your whole life believing that you're on the right track,
only to discover that you're on the wrong train.

[cyberhh]

It is not that you cannot change your IP address - rather the DHCP server assignes your MAC address a specific IP address from it's table when you release and renew it consults its table and issues you the same address again. shut the machine down for a while and try again - the MAC address should only be held for a certian period of inactivity.

[Kenteth420]

The only thing I would think is that a friend or some drunk *** was leaving me a prank message on the answering machine especially since River Falls is a college town. I don't think that someone with the knowledge to find out who you are would leave a message on your answering machine either.

[Larommi]

Thanks cyberhh, I have tried that but perhaps it was not long enough. I will try it again tonight.
Kenteth420, you know it, college and bars...what a town!!! I thought it might be a prank and it may well be...I wish I still had my caller ID.

Thanks folks




------------------
You spend your whole life believing that you're on the right track,
only to discover that you're on the wrong train.

[elsj]

Just a thought. 2 yrs ago I discovered I had NETBUS. Was getting pop up messages. Ran virus scan nothing found, called ISP worked with manager and found a code called NETBUST. What it did was capture their ip and carrier (ISP) address when they slipped through the back door. What NETBUS does is thier is a client and a server module. Say I send the server module to you in an email. Ive not found a virus scan to detect NETBUS yet! Iam on line with my client module running, your online and netbus broadcasting your ip address whether it is static or not. Just a thought. I still have the NETBUSTER module somewhere but I do have it though. It was the onlything that told me I had NETBUS.

[darkman]

just FYI

I work at the AT&T company, Larommi
the ip address is asigned as with a DHCP server now, When the server goes out and renews the ip address it will try to give the same ip address back to your computer that is why you will have the same ip address, now if we have to do renumbering on the node in your area then it will give you a different ip address at that time.

now getting a new nic card you will have to call us and give us the mac address for the nic, but when all said and done you will have a new ip address for the new nic card.

[This message has been edited by darkman (edited November 08, 2000).]